Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
JSON Diff Tool
v1.0.0免费在线 JSON 对比工具,支持路径级别差异高亮显示,数据本地处理不上传,适合接口、配置和测试数据差异分析。
⭐ 0· 37·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included functionality: a small, pure front-end JSON diff UI that claims to process data locally. The shipped index.html contains the expected JS for parsing and diffing. However, SKILL.md lists remote URLs (clawhub.ai, a trycloudflare subdomain, and a GitHub repo) as the primary ways to 'start' the tool instead of telling the user/agent to open the bundled local file. That difference is notable because the remote sites could serve different code than the included index.html.
Instruction Scope
Runtime instructions direct users/agents to visit external URLs (including a trycloudflare subdomain). The SKILL.md asserts 'data not uploaded', but the instructions' emphasis on remote hosted pages means users might paste data into a site you don't control. The SKILL.md does not instruct the agent to inspect or prefer the local index.html bundle before directing users to the remote site, creating scope for surprising remote behaviour (analytics, ad scripts, or exfiltration) that contradicts the privacy claim.
Install Mechanism
No install spec and no required binaries or environment variables — the skill is instruction-only (and ships a local HTML file). This is low risk from an install-perspective because nothing is written or executed on disk by an installer.
Credentials
The skill requests no environment variables, credentials, or config paths and its stated functionality (pure front-end JSON diff) does not require secrets. That is proportionate.
Persistence & Privilege
The skill is not always-on and does not request elevated or persistent agent privileges. Autonomous invocation is allowed (the platform default), which is normal for skills, and does not by itself increase the risk here.
What to consider before installing
This skill appears to be a small, local, front-end JSON diff utility (the included index.html contains the expected parsing/diff code). The main concern is that the SKILL.md tells users to open remote URLs (clawhub.ai and a trycloudflare subdomain) rather than explicitly using the bundled local file. Remote hosts can change code or add analytics/ads/exfiltration later, which would break the 'data not uploaded' claim. Before installing or using: (1) prefer opening and using the bundled index.html locally (or review its full source) rather than pasting sensitive JSON into the remote site; (2) if you must use the remote URL, manually inspect that remote page's source (or the GitHub repo) to ensure it matches the bundled index.html; (3) avoid pasting secrets (API keys, full responses containing credentials) into any web-based tool unless you trust the host; (4) note the minor metadata inconsistency: the skill was labeled 'instruction-only' but does include an index.html — verify the shipped files if you rely on local-only behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97akrz6cycz50zmg0htw282wd84b5xy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.