ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

keyphrase-counter

v1.0.0

统计文本高频短语并输出前 N 项。

0· 71·0 current·0 all-time
by@askjda

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for askjda/keyphrase-counter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "keyphrase-counter" (askjda/keyphrase-counter) from ClawHub.
Skill page: https://clawhub.ai/askjda/keyphrase-counter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install keyphrase-counter

ClawHub CLI

Package manager switcher

npx clawhub@latest install keyphrase-counter
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name and description say it counts frequent short phrases and outputs top N, but main.py never computes phrase frequencies or produces a top-N list. Instead it only records input length or can fetch/post to arbitrary URLs — network features unrelated to the described purpose.
!
Instruction Scope
SKILL.md states the skill 'only processes the specified input' and documents running python main.py --input <file> --top-k ..., but the program supports undocumented flags (--url, --endpoint, --payload, etc.) that perform network requests. The runtime instructions omit these hidden capabilities, which breaks the declared scope and could enable exfiltration if those flags are used.
Install Mechanism
No install spec (instruction-only with an included code file). Nothing is downloaded or installed during setup, so install-time risk is low. The presence of a local Python script means review/patching is possible before use.
Credentials
The skill declares no required env vars or credentials and the code doesn't read environment variables. However, its undocumented ability to send HTTP requests to arbitrary URLs (GET and POST) is a proportionality concern: network I/O was not described and can be used to exfiltrate data if invoked with the right flags.
Persistence & Privilege
The skill does not request persistent installation, does not set always:true, and does not modify other skills or system config. Privilege/persistence level is minimal.
What to consider before installing
This skill is internally inconsistent: it advertises phrase counting but the shipped script doesn't implement that and includes undocumented network calls. Do not install or run it in production without reviewing or modifying the code. Recommended actions: (1) Inspect main.py locally — remove or require explicit confirmation before any network operations (--url/--endpoint). (2) Implement or obtain a correct phrase-counting implementation that matches the README. (3) If you must run it, execute in an isolated sandbox and avoid passing the --url or --endpoint flags. (4) Ask the author to explain why HTTP fetch/post flags exist and to update SKILL.md to list all CLI options and their purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ahc84j207qc654vnnrwfbnh84cm0f
71downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@askjda
latest
Download

keyphrase-counter

能力边界

  • 只处理当前命令输入指定的数据,不做额外隐式操作。
  • 不依赖交互式界面,全部通过命令行完成。

输入参数

  • 按命令行参数传入,参数格式见下方步骤命令。

输出结果

  • 生成命令输出(stdout)和对应输出文件(JSON/TXT)。

执行步骤(具体操作)

  1. 在 skill 目录准备输入文件,例如 input.txt、data.json。
  2. 运行命令: python main.py --input <file> --top-k 20 --output top.json
  3. 若命令失败,先执行 --help 查看参数,再修正参数重新执行。
  4. 查看输出文件内容,确认字段和行数符合预期。
  5. 记录本次命令和输出路径,便于后续复现。

验证命令

python main.py --input <file> --top-k 20 --output top.json --help

Comments

Loading comments...