ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

light-chaser

v1.0.2

旅行摄影动态脚本助手,解决旅行者"去哪拍、何时拍、怎么拍、怎么走"四大核心痛点。将碎片化攻略转化为可执行的拍摄时间线。当用户提到旅行拍照、打卡、旅拍、摄影攻略、出行拍摄计划时使用此技能。

2· 58·0 current·0 all-time
byccshen@ccshen722
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (travel photography timeline) align with the instructions: collecting user trip info, web searching for popular photo spots, querying weather, and producing a shooting timeline. Requested/optional artifacts (config.env for a weather API) are appropriate for the stated purpose.
Instruction Scope
SKILL.md explicitly directs the agent to (a) perform web searches for destination-specific recommendations, (b) optionally call a weather API if QWEATHER_HOST/KEY are provided, and (c) read the skill's local config.env file. These actions are within scope, but the skill instructs using curl and shell snippets even though no required-binaries list is declared—so the runtime environment must permit HTTP requests and optionally curl execution. Also be aware search queries will include destination/date info (potentially sensitive).
Install Mechanism
Instruction-only skill with no install steps and no code files—nothing will be written to disk beyond user-edited config.env. This is the lowest-risk install model.
Credentials
No required environment variables or credentials are declared. The only optional credential is a QWeather host/key read from the local config.env—this is proportional to the stated goal of getting precise weather data. Users should treat QWEATHER_KEY as a secret and only populate it if they trust the API provider.
Persistence & Privilege
The skill is not always-enabled, does not request persistent system privileges, and does not modify other skills or global agent settings. It only reads a local config.env if present.
Assessment
This skill looks coherent and focused on producing travel photography timelines. Before installing: (1) confirm you are comfortable the agent will run web searches and (optionally) make HTTP calls to a weather API; (2) only add a QWEATHER_KEY to config.env if you obtained it from a trusted account and you accept storing that key in the skill directory; (3) ensure your runtime has network access (and curl if you expect the shell snippets to run), and understand that destination/date queries will be sent to search providers and the optional weather host; (4) if you need offline or privacy-preserving use, do not populate config.env and avoid invoking the network-dependent features.

Like a lobster shell, security has layers — review code before you run it.

latestvk9732cv1b25t8f49qff635t2g9843qs0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments