ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

节点小宝管理

v1.0.0

Manage 节点小宝 (Node Baby Link / JDxB) remote access service on Linux. Install, start/stop/restart the systemd service, check status, view logs, get pairing cod...

0· 121·0 current·0 all-time
by@skipper-chen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for skipper-chen/jdxb.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "节点小宝管理" (skipper-chen/jdxb) from ClawHub.
Skill page: https://clawhub.ai/skipper-chen/jdxb
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jdxb

ClawHub CLI

Package manager switcher

npx clawhub@latest install jdxb
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The script implements install/start/stop/restart/status/logs/pair/uninstall for a JDxB-like service, matching the skill description. However, the SKILL.md recommends an "official" one-liner (https://iepose.com/install.sh) while the bundled script actually downloads binaries from http://cdn.ionewu.com and queries https://dpis.ionewu.com; the domain mismatch is unexplained and odd.
!
Instruction Scope
Runtime instructions tell the agent (and the user) to run the included shell script which, when run as root, writes a systemd unit, enables and starts a service, and downloads/extracts remote archives. The SKILL.md also explicitly suggests piping a remote install script to sudo bash (curl -sL https://iepose.com/install.sh | sudo bash). The script accepts an optional PID env var (not documented in SKILL.md) and contacts external endpoints to fetch an activation code. These instructions expand scope beyond local management into executing remote code and contacting external services.
!
Install Mechanism
There is no vetted install spec; the bundled script downloads a tgz from BASE_URL using plain HTTP (http://cdn.ionewu.com/...), extracts it, and executes start.sh from the archive. The SKILL.md additionally recommends a curl|bash installer from a different domain (iepose.com). Downloading unsigned binaries over HTTP and recommending piping remote scripts to sudo bash are high-risk practices.
Credentials
No credentials or env vars are declared, which is consistent with the declared metadata. The script does require root for install/service operations (expected for creating a systemd service). It will read an optional PID environment variable if present (PID override used when contacting the active-code endpoint) but SKILL.md does not document this optional env var.
Persistence & Privilege
The skill does not set always:true and is user-invocable. The script installs and enables a systemd service (normal for a daemon installer). It does not appear to modify other skills or global agent config.
What to consider before installing
This package appears to implement a manager for a remote-access service, but it asks you (or will run) to download and execute code from third-party hosts. Specifically: the bundled installer fetches a tarball over plain HTTP from cdn.ionewu.com and the skill suggests running a remote install script (curl ... | sudo bash) from iepose.com. Those are dangerous patterns because the downloaded code is unsigned, comes from domains unrelated to each other, and could be replaced or malicious. If you consider installing: 1) Do NOT run the curl|bash one-liner unless you fully trust the domain. 2) Inspect the downloaded tarball and start.sh contents in a sandbox before running as root. 3) Prefer HTTPS and verified releases (checksums / signatures). 4) Consider installing on an isolated VM/container first. 5) If you need pairing info, be aware the script contacts dpis.ionewu.com with parameters extracted from your local service—this transmits identifiers to that external host. If you can't verify the provenance of these domains or the binaries, treat this skill as risky and avoid installing it on production systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dzyxhdpsmwz8xfe741jej3983e00q
121downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@skipper-chen
latest
Download

节点小宝 (JDxB) Management

Quick Commands

Use the bundled script for all operations:

bash skills/jdxb/scripts/jdxb.sh <command>
CommandDescription
statusShow service status, version, and pairing info
startStart the service
stopStop the service
restartRestart the service
logsView recent journal logs
pairGet current pairing URL and active code
installFirst-time install (downloads from CDN)
updateUpdate to latest version
uninstallStop service and remove files

Installation

Requires root. First-time install:

sudo bash skills/jdxb/scripts/jdxb.sh install

Or use the official one-liner:

curl -sL https://iepose.com/install.sh | sudo bash

Service Details

  • Service name: owjdxb.service
  • Default port: 9118
  • Install dir: ~/owjdxb/
  • Working dir: /home/skipper/owjdxb/
  • Logs: /tmp/.owjdxb/ and journalctl -u owjdxb.service

Pairing

After install/start, the script waits up to 30s for the service to generate a pairing URL. The URL contains an active code for the 节点小宝 mobile app. To get the pairing code at any time:

bash skills/jdxb/scripts/jdxb.sh pair

The script automatically extracts the active code from the pairing server.

Web Dashboard

Access at http://127.0.0.1:9118 (local only). The service redirects to the pairing page on first access.

Comments

Loading comments...