Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Media Saber 云助手
v3.0.202604030848在 Media Saber MCP 中运行云存储和下载任务,包括 115 转移和磁力/ed2k 离线下载。
⭐ 0· 44·0 current·0 all-time
by逍遥乐@xylplm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and skill.json both describe needing an MCP endpoint URL and an API_KEY (and to read/write ~/.claw/mcpServers.json), which is coherent with a Media Saber MCP integration. However the top-level registry metadata supplied to the evaluator (Requirements: 'Required env vars: none', 'Homepage: none') contradicts the skill.json/SKILL.md. This mismatch between declared registry requirements and the skill's own manifest/instructions is unexpected and should be clarified.
Instruction Scope
Runtime instructions are limited to configuring the MCP endpoint, storing the API key either in an OpenClaw config file (~/.claw/mcpServers.json) or an environment variable, and submitting download/cloud tasks to the specified MCP service. The SKILL.md does not instruct reading unrelated filesystem locations or exfiltrating data to third parties. It does instruct storing a sensitive API key locally and recommends secure file permissions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write or execute. That is low-risk compared with skills that download and run archives or packages.
Credentials
Requesting an MCP endpoint URL and an API key is proportionate to the declared functionality. The skill requests read/write access to ~/.claw/mcpServers.json to store the endpoint and key, which is expected but sensitive. The main concern is the registry metadata mismatch which initially listed no required env vars; confirm which view is authoritative. Ensure you provide a least-privilege API key (not a full admin key).
Persistence & Privilege
The skill does not request 'always' privilege, does not modify other skills' configs, and only asks to read/write its own OpenClaw config path. Default autonomous invocation is allowed (platform default) but not unusual here.
What to consider before installing
This skill appears to do what it says — control Media Saber MCP tasks — but two mismatches should make you pause: (1) the registry metadata you were shown claims no required environment variables or homepage, while the skill's own SKILL.md and skill.json clearly require an MCP_ENDPOINT_URL and an API_KEY and list a homepage. Ask the publisher (or the registry) to explain the discrepancy before installing. If you proceed, only connect to MCP endpoints you control or fully trust, use a least-privilege API key (not an admin key), prefer HTTPS, restrict ~/.claw/mcpServers.json file permissions (e.g., 600), and rotate/revoke the key if you suspect misuse. If you cannot verify the publisher or the endpoint, test the skill in an isolated/sandboxed environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk9793yqxqgv5bcx3yh97r68wqx844nem
License
MIT-0
Free to use, modify, and redistribute. No attribution required.