ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kimi Use

Kimi Use provides conversation, image understanding, translation, and web search via Kimi AI tools using Node.js and Kimi For Coding APIs.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 66 · 0 current installs · 0 all-time installs
by@cnlangzi
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code implements chat, image understanding, and translation against a Kimi API which matches the skill description. However the package.json declares dependencies (notably 'openai') that the code does not use, and the registry metadata claims no required environment variables while the code and SKILL.md require KIMI_API_KEY (required) and optional KIMI_API_HOST/KIMI_MODEL/KIMI_VISION_MODEL. This mismatch between declared requirements and actual code is concerning.
!
Instruction Scope
The SKILL.md and the CLI/JS read local files (understandImage reads any file path, base64-encodes it and posts it to the remote API). That behavior is expected for image analysis, but the implementation will read and transmit any file the user points at (not restricted to image mime types), creating a risk of accidental or malicious exfiltration of local sensitive files. Instructions also expose a 'system' prompt field and the translate function builds a system prompt — this is expected for LLM clients but was flagged by the static scan as a possible prompt-manipulation pattern.
Install Mechanism
There is no explicit install spec (instruction-only install), which is low-risk, but package.json lists npm dependencies. Running npm install will fetch packages from the registry (including 'openai' and 'minimist'). The 'openai' dependency appears unused in the code — installing unused packages increases footprint and attack surface and should be justified or removed.
!
Credentials
The runtime requires a KIMI_API_KEY (sent as Bearer auth) and optionally a KIMI_API_HOST. The registry metadata however lists no required env vars or primary credential. Requiring a secret API key is reasonable for this skill's purpose, but it should be declared explicitly in the skill metadata — the omission is a data/privilege mapping problem that could mislead reviewers or automated controls.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent config, and runs as a normal user process. It exports helper functions but that is expected. No elevated persistence is requested.
Scan Findings in Context
[system-prompt-override] unexpected: Static scan flagged a 'system-prompt-override' pattern. The skill intentionally supports passing a 'system' prompt to the chat/translate functions (translate constructs a system prompt), which can trigger this heuristic. Still, prompt-manipulation patterns are sensitive — review how system prompts are used and ensure the skill is not attempting to override evaluation-time system prompts or instruct the agent to perform actions outside its scope.
What to consider before installing
Before installing or running this skill: - Treat the KIMI_API_KEY as a real secret: add it only if you trust the Kimi service and the skill source. The skill metadata omitted declaring the required API key — that's an inconsistency to fix. - Review and/or sanitize any file paths before using the image command. The tool will read any file you point it at (not limited to image files) and will send the file contents to the remote API; do not point it at sensitive files (SSH keys, tokens, password stores, etc.). - Consider removing or auditing npm dependencies before running npm install: package.json lists 'openai' which the code does not use. Unused dependencies increase attack surface when npm install runs. - Verify the KIMI_API_HOST value (defaults to https://api.kimi.com/coding). Confirm the endpoint is legitimate and you expect data (including images) to be sent there. - Because the SKILL.md and code support providing a 'system' prompt, inspect any calls that set system prompts to ensure they are not being used to manipulate higher-privilege behavior. The static scan flagged a possible prompt-injection pattern — this may be a false positive but worth checking. If you are not able to review or audit the code yourself, ask the author to: (1) update the skill metadata to declare KIMI_API_KEY as a required credential, (2) remove unused dependencies or explain why they are present, and (3) add a warning or validation to ensure only image files are sent (or at least limit file reads to expected image extensions and sizes). Proceed carefully.
scripts/index.js:19
Environment variable access combined with network send.
!
scripts/index.js:13
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97e3yf1m3havfydn28ewyx5yn83c7sx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Kimi Use

Kimi AI 工具集,提供对话、图像理解、翻译等功能。使用 Node.js 实现。

环境变量

export KIMI_API_KEY="sk-kimi-xxxx"                              # 必填(Kimi For Coding 格式)
export KIMI_API_HOST="https://api.kimi.com/coding"               # Kimi For Coding 端点
export KIMI_MODEL="kimi-for-coding"                              # 可选,默认 kimi-for-coding
export KIMI_VISION_MODEL="kimi-vl-flash"                         # 可选,默认 kimi-vl-flash

获取 API Key: https://www.kimi.com/code/user-center/basic-information/interface-key

安装依赖

cd ~/workspace/skills/kimi-use
npm install

CLI 命令

# 对话
node scripts/index.js chat "你好,介绍一下你自己"

# 图像理解(支持本地路径或 URL)
node scripts/index.js image "这张图片里有什么?" /path/to/image.jpg

# 翻译
node scripts/index.js translate "hello world" --to 中文

# 网络搜索(依赖模型知识库)
node scripts/index.js search "今日新闻"

# 流式输出
node scripts/index.js chat "讲一个故事" --stream

Node.js 模块调用

import { chat, understandImage, translate, webSearch } from './scripts/index.js';

// 对话
const r = await chat('你好');
console.log(r.result.content);

// 图像理解
const r = await understandImage('这张图里字幕在什么位置?用JSON返回', '/path/to/image.jpg');
console.log(r.result.content);

// 翻译
const r = await translate('hello', { to: 'Chinese' });
console.log(r.result.content);

API 详情

  • API 地址: https://api.kimi.com/coding/v1
  • 模型: kimi-for-coding, kimi-vl-flash (视觉)
  • 视觉: 支持本地 base64 图片和 URL
  • 兼容: OpenAI SDK 风格

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…