Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kairoa CLI
v1.0.1开发者工具箱 CLI,50+ 命令。当用户需要编码解码、哈希/HMAC 计算、UUID/ULID 生成、数据格式转换、JSON/SQL 处理、HTTP/WebSocket/DNS/IP 网络工具、端口扫描/TLS/证书检查、密码生成/强度检测/保险库、Mock 数据、OTP、QR 码、正则测试、图片/PDF 处理...
⭐ 0· 53·0 current·0 all-time
by路多辛@luduoxin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description describe a general-purpose developer CLI and the SKILL.md documents many corresponding commands (hashing, HTTP, DNS, port scan, OTP, QR, password vault, AI Chat, etc.). The requested capabilities are coherent with the stated purpose.
Instruction Scope
Instructions are focused on installing and using the kairoa binary and list command usage. They explicitly include network-facing commands (HTTP client, DNS/IP lookup, port scanning, TLS checks) which are expected for such a tool but are powerful and can access/transmit data. The SKILL.md also documents an AI Chat feature that requires an OpenAI-style API key when used.
Install Mechanism
There is no platform install spec in the registry (skill is instruction-only). The README recommends Homebrew/Scoop, manual download from a GitHub releases URL, or building from source (reasonable). It also suggests a curl|bash remote installer (raw.githubusercontent.com), which the doc correctly warns to review first — remote script installs carry higher risk and should be audited before execution.
Credentials
SKILL.md documents an optional OPENAI_API_KEY for the AI Chat feature, which is appropriate for that feature. However, the registry metadata earlier listed 'Required env vars: none', so there is an inconsistency between metadata and the SKILL.md about environment requirements. Confirm whether OPENAI_API_KEY is required/optional in registry metadata before installation.
Persistence & Privilege
The skill is not always-enabled and does not request persistent platform privileges. It does not include code or an install action that would force-enable itself in the agent. No elevated persistence is requested.
Assessment
This skill appears to be what it says: a general-purpose CLI toolbox. Before installing, confirm the following: (1) whether the registry metadata should declare the optional OPENAI_API_KEY (SKILL.md mentions it) and whether you intend to use the AI Chat feature; (2) avoid blindly running the recommended curl|bash installer — inspect the script or prefer installing from a package manager, GitHub release binary, or building from source; (3) be aware the tool includes network and scanning commands (HTTP/DNS/port scan) which can access or send data — only run commands you trust and avoid processing sensitive secrets with unknown binaries; and (4) if you plan to use the password vault feature, review where it stores encrypted data and key derivation parameters to ensure they meet your operational security requirements.Like a lobster shell, security has layers — review code before you run it.
latestvk9767k22q2jwvm8xxprdj493v984k3kt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.