Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Quickstart Cn
v1.0.1中文用户快速安装配置国产AI模型并测试OpenClaw全流程指导,包括环境检查、模型配置、连接测试及扩展技能安装。
⭐ 0· 125·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (OpenClaw quickstart for Chinese users) match the SKILL.md instructions (environment checks, configuring DeepSeek/Zhipu/Qwen). Nothing in the manifest asks for unrelated credentials or files. However the guide tells users to run a remote installer (curl | bash) which effectively extends the skill beyond 'instruction-only' and should be explicitly declared.
Instruction Scope
Instructions are narrowly scoped to environment checks (node, uname), installing OpenClaw (curl|bash or npm), configuring provider API keys, and testing status/logs. They do not ask the agent to read arbitrary user files or exfiltrate data, but the curl | bash pattern instructs executing remote code, which could perform additional actions not visible in SKILL.md.
Install Mechanism
No install spec is declared in the registry metadata, yet the document directs users to run 'curl -fsSL https://get.openclaw.ai | bash' — piping a remote script to the shell is a high-risk install mechanism. The alternative npm install is lower risk. The remote URL is not a well-known release host (e.g., GitHub releases) and the manifest does not include a verified installer checksum or reproducible source.
Credentials
The skill does not request environment variables or secrets in the manifest. The documented workflow legitimately requires provider API keys (DeepSeek, Zhipu, Qwen); these are proportional to the stated purpose and are set via the OpenClaw CLI, not requested by the skill itself.
Persistence & Privilege
Registry flags show no forced persistence (always:false) and no special privileges. However, following the SKILL.md install (remote installer) could create persistent system binaries or services — that persistence would come from the external installer, not from the skill metadata.
What to consider before installing
This guide appears to be a legitimate quickstart for configuring Chinese AI providers, but it recommends running a remote installer via 'curl | bash' which can execute arbitrary code on your machine. Before proceeding: (1) verify the installer URL (get.openclaw.ai) — check the project's official repo or homepage and confirm the install script's contents; (2) prefer the npm install path if you trust the package registry and maintainers; (3) if you must use the curl method, download the script first and inspect it (curl -fsSL https://get.openclaw.ai -o install.sh; less install.sh) instead of piping to sh; (4) run installs in a sandbox or VM if you are unsure; (5) only provide API keys for the listed providers and never share cloud or system credentials; (6) verify the homepage/repo (skill.json points to https://github.com/openclaw-cn/skills) and the publisher identity before trusting the installer. If you want, I can fetch and summarize the installer script or check the GitHub repo for matching installer sources (I will not execute any code).Like a lobster shell, security has layers — review code before you run it.
beginnervk97arkz28dv2pgbdy21pcrjmr9838b5kchinesevk97305g8v5k9j4vtshzqrzqfjx83nw5platestvk97305g8v5k9j4vtshzqrzqfjx83nw5ptutorialvk97305g8v5k9j4vtshzqrzqfjx83nw5p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.