ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Volcengine VeADK Skills

v1.0.0

根据用户的功能需求,完成与 VeADK 相关的功能。

0· 896·125 current·131 all-time
by@yaozheng-fang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (generate VeADK agents and convert Langchain/Dify artifacts) align with included references and the single helper script. The repo contains conversion rules, generator guidance, and agent/tool docs that match the described functionality.
Instruction Scope
SKILL.md restricts behavior to analyzing user requirements, generating agent code, converting Langchain/Dify, then saving outputs via scripts/save_file.py. That is appropriate, but the save_file.py utility will create directories and write arbitrary content to any path provided — there is no path sanitization or restriction in the instructions. This means the agent (if given or choosing arbitrary paths) could overwrite sensitive files; review/limit paths before saving.
Install Mechanism
No install spec and only a small Python helper script are present. No downloads, package installs, or external binaries are requested — lowest-risk installation profile.
Credentials
The skill declares no required environment variables, credentials, or config paths. The requested surface is proportional to a code-generation converter.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent system privileges or modify other skills' configuration. It only includes a file-writing helper that is executed via explicit CLI invocation.
Assessment
This skill appears to do what it says: generate/convert VeADK agent code and save files. Before installing/using it, take these precautions: - Be aware save_file.py will write any path you provide (it creates directories and overwrites existing files). Avoid saving to system directories or sensitive locations (e.g., /etc, ~/.ssh, etc.). - Run the skill in a sandboxed environment or container, or restrict its working directory to a project folder you control. - Inspect generated code before executing it — code generators can produce code that makes network calls, executes shell commands, or loads secrets. - If you will automate saving (agent-run), add path validation or a whitelist of allowed output directories to prevent accidental or malicious overwrites. - Do not run with elevated privileges (root/administrator) while using this skill. If you want a higher-assurance review, provide examples of generated output or the exact agent invocation flow so I can check for dangerous patterns in the produced code.

Like a lobster shell, security has layers — review code before you run it.

latestvk9784y96sy8y9s8npgjxq0ewj180whhf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments