Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a product-search workflow that requires executing a Python script and making HTTP calls, but the skill declares no required binaries (e.g., python), includes no code files (query_search_products.py is referenced but not bundled), and provides no guidance where the script comes from. That mismatch between claimed behavior and required/packaged capabilities is concerning.
Instruction Scope
Runtime instructions explicitly tell the agent to run `python query_search_products.py {keyword}` and to concurrently invoke a separate 'vipshop-product-consultant' skill. Because the referenced script is not included and the nested skill is external, the agent may attempt actions (running local binaries, network calls, invoking other skills) outside the package's visible surface. The instructions do not declare what endpoints, credentials, or data are used or returned.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. That lowers install-time risk, but raises runtime ambiguity because required binaries/scripts are not packaged.
Credentials
The skill declares no environment variables or credentials, yet it instructs HTTP API calls and running a Python script. If the real implementation requires API keys or other secrets, those are not declared. Lack of declared credentials is inconsistent with typical networked search integrations.
Persistence & Privilege
The skill does not request always:true and has default invocation settings. It does not declare changes to other skills or system config. Autonomous invocation is allowed (platform default) but is not additionally privileged here.
What to consider before installing
This skill's instructions require running a Python script (query_search_products.py) and calling another skill, but the package contains no script, no declared python requirement, and no information about API endpoints or credentials. Before installing or enabling it: 1) ask the author to provide the missing script or explain where it will be obtained and why it's safe; 2) ask which Python version or other binaries are required and have them declared; 3) ask which external APIs/endpoints are called and whether any credentials are needed; 4) verify the identity and trustworthiness of the 'vipshop-product-consultant' skill the package will invoke; and 5) avoid granting broad network or credential access until those questions are answered. Because this is instruction-only, there's no code to audit — that increases uncertainty about what will actually run at runtime.Like a lobster shell, security has layers — review code before you run it.
latestvk978sb4h3erc98tp359a9q6gtd83wnfm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.