ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

警察执法资格考试助手

v1.0.0

Automation skill for 警察执法资格考试助手.

0· 53·0 current·0 all-time
by@webpenbot

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for webpenbot/police-qualification-exam.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "警察执法资格考试助手" (webpenbot/police-qualification-exam) from ClawHub.
Skill page: https://clawhub.ai/webpenbot/police-qualification-exam
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install police-qualification-exam

ClawHub CLI

Package manager switcher

npx clawhub@latest install police-qualification-exam
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included files: large local question banks, exam outline, knowledge points, and Python scripts (pqebot-core.py, pqebot-web.py, start.py). The SKILL.md declares a Python requirement (openclaw.requires.bins: ['python3']), which is coherent with the included .py files. However, the top-level metadata in the provided registry summary said 'Required binaries: none' while SKILL.md requires python3 — a mild inconsistency in declared requirements.
!
Instruction Scope
SKILL.md is mostly configuration and triggers; pqebot-core.py (shown) reads local JSON data and manages sessions (no obvious exfiltration). However: (1) a web module (pqebot-web.py) is included but its contents were truncated in the review — that file could perform network requests; (2) the SKILL.md was flagged for unicode control characters (prompt-injection pattern) which may be an attempt to hide or manipulate LLM instructions. Together these raise scope concerns — especially around any undisclosed network activity or hidden instructions.
Install Mechanism
There is no external download URL and the bundle includes all code and data files. The SKILL.md contains an openclaw.install entry ('id: skill-files'), so skill files will be written to disk when installed. This is expected for a code-based skill and is lower risk than fetching remote executables, but it does create persistent files on disk.
Credentials
No environment variables or credentials are required and the visible code reads only local data files. The requested environment access appears proportional to the stated purpose. Still, because a web module is present, verify whether it uses network credentials or external endpoints before granting broader permissions.
Persistence & Privilege
always:false and no elevated platform-wide privileges are requested. The skill will install files into the agent's skill directory (normal for a code-based skill) and can be invoked by the model (default behavior). There is no evidence it modifies other skills or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md was flagged for unicode control characters (prompt-injection pattern). Hidden control characters are not needed for an exam assistant and can be used to obfuscate or manipulate prompt processing — treat as suspicious and request a sanitized SKILL.md.
What to consider before installing
This package appears to be a self-contained Python-based exam assistant with large local question banks and is mostly coherent with its stated purpose, but proceed cautiously: 1) The SKILL.md contained unicode control characters (a prompt-injection signal). Ask the developer to provide a cleaned SKILL.md with no hidden/control characters and explain why they were present. 2) Inspect pqebot-web.py and start.py before installation to confirm whether they make network calls or send data externally; if you cannot review, install only in an isolated environment (no network) or sandbox. 3) Confirm you have Python 3 available (SKILL.md requires python3) — the registry summary contradicted this. 4) Do not provide any credentials or sensitive environment variables to this skill. 5) If you need stronger assurance, request the developer to document any external endpoints used and provide a line-by-line audit of network-related code; otherwise treat the skill as potentially exfiltrative and run it with network disabled.

Like a lobster shell, security has layers — review code before you run it.

educationvk978nbxkvmh4m8cv1tvsb1qyzx856peyexamvk978nbxkvmh4m8cv1tvsb1qyzx856peylatestvk978nbxkvmh4m8cv1tvsb1qyzx856peypolicevk978nbxkvmh4m8cv1tvsb1qyzx856pey
53downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@webpenbot
educationexamlatestpolice
Download

name: police-qualification-exam display_name: 警察执法资格考试助手 description: 警察执法资格考试助手,提供完整大纲解析、12年真题库(2013-2024年766题)、高频考点分析、模拟练习等功能。 version: 1.0.0 author: 彭子 category: [学习教育] tags: [执法资格, 警察考试, 公安考试, 真题, 大纲, 学习助手, 2026大纲] trigger: ["执法资格考试", "警察执法资格", "公安考试", "执法资格大纲", "警察考试真题", "历年真题", "2026大纲", "pqebot", "执法考试"] license: MIT openclaw: requires: bins: ["python3"] install: - id: skill-files

Comments

Loading comments...