ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xiaoqian

v1.0.3

自动登录江苏海事局综合平台查询指定日期范围内的全局会议信息并导出包含时间、地点和参会人员的结构化数据。

0· 182·1 current·1 all-time
by@tokido-25

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tokido-25/xiaoqian.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Xiaoqian" (tokido-25/xiaoqian) from ClawHub.
Skill page: https://clawhub.ai/tokido-25/xiaoqian
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install xiaoqian

ClawHub CLI

Package manager switcher

npx clawhub@latest install xiaoqian
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the provided Python automation code align: the code automates login to the listed portal and scrapes meeting data. However, provenance is unclear (source/homepage unknown) and the package embeds a specific account (lp@njmsa / @lp280033) in SKILL.md and as defaults in code, which is unexpected for a general-purpose skill and raises questions about origin and intended operator.
Instruction Scope
SKILL.md and the script remain within the stated task (navigate site, query meetings, export Excel). But the instructions/code include plaintext credentials, will download Chrome WebDriver at runtime, write logs and output files, and the script deliberately attempts to evade automation detection (overriding navigator.webdriver). Those behaviors broaden the runtime footprint beyond a simple read-only query.
Install Mechanism
There is no declared install spec (instruction-only), but the Python code uses webdriver-manager to download ChromeDriver at runtime. webdriver-manager is a common tool and fetches drivers from standard sources, but runtime binary download increases network activity and introduces supply-chain risk compared with a pure instruction-only skill.
!
Credentials
The skill requests no required env vars in its metadata, yet the code reads MSA_USERNAME and MSA_PASSWORD (with insecure defaults embedded). SKILL.md even prints default credentials. Requiring credentials is reasonable for a login automation tool, but embedding real-seeming credentials and failing to declare them is a coherence/security problem and could leak secrets or encourage misuse.
Persistence & Privilege
The skill is not marked always:true and does not request elevated platform privileges. It writes logs and generates Excel files in the working directory (expected). Autonomous invocation is allowed by default (normal) but does increase blast radius when combined with the credential/evade flags above.
What to consider before installing
This skill mostly does what it says (automates login and scraping of the Jiangsu MSA portal), but exercise caution before installing: 1) The SKILL.md and code include plaintext default credentials — do NOT use these defaults; treat them as potential leaked/stale credentials and rotate any affected account. 2) The code expects MSA_USERNAME/MSA_PASSWORD but the skill metadata does not declare required env vars — if you install, set those env vars yourself rather than relying on defaults. 3) The script downloads ChromeDriver at runtime and attempts to hide automation (navigator.webdriver override), which increases network and detection-evasion behavior; run it in a controlled sandbox or VM and review network activity. 4) Verify the skill's provenance (who published it) before giving it access to credentials or your network. If you cannot confirm origin or do not want the script to handle credentials, do not install/run it; alternatively, extract and review the script first, remove hard-coded defaults, and supply credentials via secure environment variables or a secrets manager.

Like a lobster shell, security has layers — review code before you run it.

latestvk979yczfkcnync5y702kmhxhhx838jb7
182downloads
0stars
4versions
Updated 22h ago
v1.0.3
MIT-0
@tokido-25
latest
Download

江苏海事局会议查询技能

技能描述

本技能自动登录江苏海事局综合平台,查询指定日期范围内的会议信息,并将结果导出为结构化的Excel文件。

系统配置

  • 平台地址: http://gchportal.js-msa.gov.cn/cas/login
  • 账号: lp@njmsa
  • 密码: @lp280033
  • 查询单位: 江苏海事局局机关

使用方式

用户可以通过以下方式触发本技能:

  1. 直接询问:查询今天的会议
  2. 指定日期:查询2025-03-20的会议
  3. 日期范围:查询从2025-03-20到2025-03-25的会议

输出数据

技能执行后将生成Excel文件,包含以下字段:

  • 日期 (Date)
  • 开始时间 (StartTime)
  • 会议标题 (MeetingTitle)
  • 会议地点 (Location)
  • 出席人员 (Attendees)
  • 主办部门 (Organizer)

注意事项

  1. 确保网络连接正常,可以访问江苏海事局综合平台
  2. 账号密码敏感,建议通过环境变量配置
  3. 查询结果受平台数据更新影响
  4. 首次运行会自动下载Chrome WebDriver

技能版本: 1.0.0 | 最后更新: 2025-03-20

Comments

Loading comments...