ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kuaidaili Proxy

v1.0.0

快代理(Kuaidaili)代理IP服务集成。Use when you need to (1) fetch proxy IPs from Kuaidaili API, (2) check account balance, (3) manage proxy orders, (4) test proxy connec...

0· 101·0 current·0 all-time
by@openclaw-baixing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Kuaidaili proxy integration) matches the included scripts (get_proxies.py, check_balance.py, test_proxy.py) and the API reference. However the registry metadata reports no required environment variables or primary credential, while the SKILL.md and scripts clearly require KUAIDAILI_SECRET_ID and KUAIDAILI_SIGNATURE. This metadata omission is an inconsistency (likely oversight) but not by itself malicious.
Instruction Scope
SKILL.md and the scripts only instruct the agent/user to provide Kuaidaili credentials or pass them as CLI args, call Kuaidaili API endpoints, and optionally test proxies against httpbin.org. The instructions do not ask the agent to read unrelated files, system secrets, or send data to unknown endpoints. There is a minor typo in SKILL.md (example uses scripts/scripts/get_proxies.py) but no scope creep.
Install Mechanism
There is no install spec (instruction-only) and no downloads or extract steps. The bundled code is plain Python using requests and makes HTTPS calls to Kuaidaili endpoints and httpbin.org. No third‑party, opaque downloads or URL-shortened installers are present.
!
Credentials
The scripts legitimately require two secrets (KUAIDAILI_SECRET_ID and KUAIDAILI_SIGNATURE). That is proportionate to the stated purpose. However the package/registry metadata lists no required env vars or primary credential — a direct mismatch. Users could be surprised because the registry does not advertise the need to provide credentials. Also the SKILL.md suggests storing creds in environment variables (normal) but users should avoid committing them to disk.
Persistence & Privilege
The skill is not marked always:true and does not request elevated persistence. It does not modify other skills, system configs, or write hidden services. Autonomous invocation is allowed (default) which is normal; nothing in the package indicates it would abuse that.
What to consider before installing
This package appears to do what it says (fetch proxies, check balance, test proxies) and the Python scripts are readable and call legitimate Kuaidaili endpoints and httpbin.org. However the registry metadata failing to list the required environment variables is an inconsistency you should resolve before installing. Actions to consider: - Confirm with the publisher (or inspect the files) that KUAIDAILI_SECRET_ID and KUAIDAILI_SIGNATURE are required (they are), and decide how you'll provide them (env vars or CLI args). - Run the scripts locally in an isolated environment (virtualenv / container) to inspect behavior before giving credentials to any service. - Verify the endpoints (dev.kdlapi.com, dps.kdlapi.com, tps.kdlapi.com) match official Kuaidaili docs and that you trust the skill owner (registry owner id is unknown). - Avoid storing secrets in world-readable files; prefer process environment or secret manager. - Note the SKILL.md typo (scripts/scripts/...) — a sign of low polish but not malicious. If you need high assurance, ask the maintainer to update registry metadata to declare required env vars and provide a verified homepage/repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk978yv5tybpya2veka28s6e74d8392r5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments