Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
调用 JavaSkillController 提供的 HTTP 接口,供 OpenClaw/OpenLaw 执行业务操作、健康检查。
v1.0.1调用 JavaSkillController 提供的 HTTP 接口,供 OpenClaw/OpenLaw 执行业务操作、健康检查。
⭐ 0· 142·0 current·0 all-time
by@lintqiu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim a simple HTTP client for JavaSkillController (execute/execute-v2/health). The included script and SKILL.md implement exactly that functionality; requiring a base URL and calling /api/skill endpoints is proportional to the stated purpose.
Instruction Scope
Runtime instructions are narrowly scoped: they read one environment variable (JAVA_API_URL) and call three HTTP endpoints under /api/skill. They do not instruct reading arbitrary files or other environment variables, nor do they send data to hard-coded third-party endpoints. However, SKILL.md and the script explicitly require JAVA_API_URL while the registry metadata lists no required env vars — an instruction/metadata mismatch.
Install Mechanism
This is an instruction-only skill with no install spec. The only runtime dependency is the Python 'requests' package referenced in scripts/call_java_api.py; that dependency is typical for a simple client but is not declared in any install metadata (not a security risk by itself, but an operational omission).
Credentials
The skill needs a single environment variable (JAVA_API_URL) to operate — that's reasonable. However, the registry metadata lists 'Required env vars: none' while SKILL.md and the script require JAVA_API_URL. This mismatch means the skill may be deployed without the operator realizing a network endpoint will be contacted. No other secrets are requested.
Persistence & Privilege
Skill is not always-enabled, does not request broad platform privileges, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to do what it says: call your JavaSkillController via an HTTP base URL you must supply. Before installing: (1) confirm the registry metadata is updated to declare the required environment variable (JAVA_API_URL) so operators know a network call will occur; (2) ensure JAVA_API_URL points to a trusted internal service (do not set it to an external or unknown host); (3) validate network policies (eg. restrict egress to your Java service) and review logs on the target service to verify expected behavior; (4) if you plan to run the included script, ensure the Python 'requests' package is available; (5) prefer installing only from a known publisher or source — the skill's source/homepage are missing. These mismatches are likely sloppy/operational omissions rather than malicious, but treat the network endpoint as sensitive until verified.Like a lobster shell, security has layers — review code before you run it.
latestvk979ndxtqqbj90p76q4sc25tpx8330m4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.