ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shared Bike

v0.1.0

提供哈啰/美团单车扫码开锁、骑行范围及计费指引。

0· 135·0 current·0 all-time
by@mikeclaw007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description promise: shared-bike (扫码开锁、骑行范围、计费). SKILL.md content: travel-focused fields (交通方式、签证与政策、实时余票、航班动态、值机/登机牌等). Requested capabilities (none) don't explain why travel/flight data would be present. This is a direct mismatch.
!
Instruction Scope
SKILL.md contains unrelated instructions/fields (flight/boarding/seat availability) rather than guidance on bike unlocking or billing. It does not direct file/credential access, but its scope is inconsistent and vague — unclear what the agent should actually do at runtime.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes installation risk; nothing will be written to disk by an installer.
Credentials
No environment variables, credentials, or config paths are requested — no obvious over-privileging. However, lack of declared needs combined with mismatched instructions reduces confidence in intent.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent presence or elevated privileges.
What to consider before installing
Do not install or enable this skill until the author/source is clarified. The SKILL.md does not match the skill name/description (it looks like travel/flight guidance, not shared-bike unlock/billing). Ask the publisher for a corrected SKILL.md or a trusted homepage; confirm what APIs or credentials (if any) the skill truly needs. If you must try it, keep it user-invocable only (no autonomous invocation), and monitor any network calls or prompts it makes. Because there are no declared credentials, direct secret exfiltration is not apparent, but the packaging mismatch suggests sloppy or accidental publication — treat it as untrusted until fixed.

Like a lobster shell, security has layers — review code before you run it.

latestvk974j4yb4j41nxsz8qv5bgzmtn837ap9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments