ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China National Pension Calculation

v1.3.0

养老金计算器 - 支持Web界面填写和LLM对话交互。计算基本养老金、企业年金、个人养老金和养老储蓄。适用于中国养老金体系计算。

0· 17·0 current·0 all-time
by@hikeryangsz-creator
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code: web UI, MCP server, calculation engine, and local data storage. No unexpected credentials, external services, or unrelated binaries are requested.
Instruction Scope
SKILL.md instructs the agent to start a local web UI, accept user-filled data, then read data/user-data.json to produce reports. The code reads/writes only files under the skill directory and serves static UI on localhost; it does not ask for or access unrelated system paths or secrets.
Install Mechanism
No formal install spec in registry metadata (instruction-only), but a package.json and package-lock.json are included. The README instructs running npm install and node mcp-server.js; dependencies come from the public npm registry (@modelcontextprotocol/sdk and its transitive deps). This is expected but means npm will fetch packages from the public registry.
Credentials
The skill requires no environment variables, credentials, or system config paths. All I/O is scoped to a local data/ directory owned by the skill; requested resources are proportional to the stated functionality.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It runs a local Node process and writes its own data files (data/user-data.json, status.json), which is expected for this type of skill.
Assessment
This package appears coherent and local-only, but take the usual precautions before running third-party Node code: 1) Review the repository locally (you already have the files) and inspect any remaining truncated files for network calls or obfuscated code; 2) Run npm install in an isolated environment (container/VM) to avoid unexpected transitive dependency issues; 3) The skill starts local servers (default ports 8082 and 8084) and writes data to data/user-data.json — do not expose these ports to the public internet and avoid entering sensitive identifiers unless you are comfortable storing them locally; 4) If you need stricter assurance, calculate expected outputs from sample inputs or run the server offline and monitor outgoing network activity. If you want, I can scan the remaining truncated files for network endpoints or suspicious patterns before you install.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755vsbzeqzs69at9v7zny98s84m14f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments