ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

login-digitalme

v1.0.0

通过手机短信验证码完成用户登录/注册,包含发送验证码和验证码登录两个接口。

0· 52·0 current·0 all-time
by@guolai806
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md behavior (using curl+jq to call an API at SMS_LOGIN_BASE_URL to send/login with SMS codes) is coherent for an SMS-login helper. However, the declared required env var and primaryEnv are set to the literal '180.184.28.174:30080' (an IP:port), which does not match the SKILL.md's documented SMS_LOGIN_BASE_URL. That mismatch is unexpected and disproportionate to the stated purpose.
Instruction Scope
The instructions are narrowly scoped: confirm phone from user, POST to /send and /login endpoints, parse JSON with jq, extract token from data.token, and avoid exposing full tokens. They explicitly forbid guessing phones or auto-enumerating codes. They reference only SMS_LOGIN_BASE_URL, PHONE, and CODE at runtime.
Install Mechanism
Instruction-only skill with no install spec and no code files; required binaries are only curl and jq. This is low install risk and appropriate for a curl-based API helper.
!
Credentials
The skill declares a required env var named '180.184.28.174:30080' and lists that as primaryEnv, but SKILL.md expects SMS_LOGIN_BASE_URL. Requiring an IP:port string as an env var name is incoherent and may indicate misconfiguration or a hidden intent to force use of a specific backend. No credentials (API keys) are requested, which is reasonable, but the incorrect env-var declaration is a red flag.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not write installs or system configs; autonomous invocation is allowed (platform default) but not combined with other high-privilege requests.
What to consider before installing
This skill's behavior (calling an SMS API via SMS_LOGIN_BASE_URL) matches its description, but the package metadata incorrectly lists a required environment variable named '180.184.28.174:30080' and marks that as the primary credential. Before installing or using it: 1) ask the author to correct the metadata so the required env var is SMS_LOGIN_BASE_URL (not an IP literal), and confirm what backend that variable should point to; 2) verify the API host is trusted (don't point SMS_LOGIN_BASE_URL to an unknown IP); 3) avoid supplying high-privilege credentials or tokens unless the service is verified; 4) because the skill comes from an unknown source with no homepage, prefer to test it in an isolated/dev environment and inspect network calls; and 5) require the skill to explicitly document how tokens are stored/used to ensure they won't be exfiltrated. These inconsistencies make the package suspicious rather than clearly benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk972wakg27k6tey28vsxkzjsrh841kjx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, jq
Env180.184.28.174:30080
Primary env180.184.28.174:30080

Comments