Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ocean right marine
v1.0.0ORM 气象导航航次距离计算工具 - 通过 NavOptima 查询港口间航行距离(海里)
⭐ 1· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to query NavOptima for voyage distances, which fits the described functionality. However, instead of requesting a proper, declared credential (API key or environment variable), the SKILL.md embeds a specific NavOptima email and plaintext password in the instructions. Hardcoding service credentials in an instruction-only skill is disproportionate and not an appropriate way to authenticate a third‑party service.
Instruction Scope
The SKILL.md directs the agent to log into a web UI, control a browser, take a full-page screenshot, and then forcibly send that screenshot to a chat channel 'regardless of user window'. That mandates collection and transmission of potentially sensitive visual data without explicit per-query user consent. It also prescribes appending fixed contact/signature info to every result. Those steps extend beyond a simple distance lookup and create clear data-exfiltration and privacy risks.
Install Mechanism
Instruction-only skill with no install spec and no code files — low disk/write risk. No third-party packages or downloads are requested.
Credentials
The skill declares no required environment variables or credentials, yet instructs use of a specific NavOptima account (email and plaintext password). This mismatch is a red flag: credentials are present but not managed through declared env vars, and there is no justification for sharing a shared/static password inside the skill text.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or agent system settings. However, its mandatory 'capture and send' behavior effectively gives it a recurring data-exfiltration action each invocation; if the agent invokes the skill autonomously, that increases risk. Autonomous invocation itself is normal, but combined with forced screenshot-sending it widens the blast radius.
What to consider before installing
Do not install blindly. Specific things to consider before installing:
- The SKILL.md contains a plaintext NavOptima email and password — ask who owns that account and whether you are authorized to use it. Never rely on hardcoded shared credentials; prefer per-user credentials or API keys injected via environment variables. If that account is legitimate, rotate the password and avoid embedding secrets in skill text.
- The skill forces full-page screenshots and instructs sending them to chat 'regardless of user window'. That can leak sensitive map/context data or other on-screen information. Require explicit user consent before any screenshot is taken or sent, and restrict sending to the active conversation only.
- Verify the contact details and the service domain (https://nop.ormwx.com). If you cannot confirm the provider and account ownership, do not grant the skill runtime access to your agent or browser tools.
- If you still want the functionality: request the skill be changed to (1) accept credentials via declared environment variables or an OAuth flow, (2) make screenshots and sending optional and require user confirmation, and (3) remove hardcoded contact/signature insertion or make it configurable.
- Test the skill in a restricted sandboxed environment first, monitor network and account activity, and rotate credentials immediately if they were used by the skill. If you have compliance or privacy constraints, this skill’s current instructions are inappropriate until modified.Like a lobster shell, security has layers — review code before you run it.
latestvk971dzdkrv1agfejhe8dyd049s841zc1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚓ Clawdis