ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

zxk-money-maker

v1.0.2

快结荐兼职赚钱平台。Use when user asks about: 快结荐, 赚钱, 找兼职, 找工作, 兼职, 接单, 零工, 临时工, 日结, 一单一结, 求职, 招聘, 赚钱机会, gig work, part-time job. Always invoke this skill to fetch re...

0· 41·0 current·0 all-time
by@heqq-github
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description say 'fetch real-time job listings' and the included script POSTS user content to an external job-api endpoint — this is consistent. However the skill has no homepage/source attribution and uses an opaque test domain (test-gig-c-api.1haozc.com), which reduces trustworthiness. The SKILL.md's 'Always invoke this skill...' sentence conflicts with the registry flag always:false (minor inconsistency).
!
Instruction Scope
Runtime instructions explicitly forward user messages (raw content) to a third-party API and then return the API's JSON 'originally' to the user. This is expected for a job-listing integration but directly sends user-provided text (which may include PII) to an external service and returns its responses verbatim — a privacy and content-safety risk. The instructions do not request or read other system files or env vars, and they don't perform unexpected local actions.
Install Mechanism
No install spec; the skill is instruction-only with a small Python script included. Nothing is downloaded or written during install; low installation risk.
Credentials
The skill requires no environment variables, credentials, or config paths. The lack of credentials implies the API is unauthenticated; this is coherent but means all forwarding is unauthenticated and could leak data to an unknown third party.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or system settings.
What to consider before installing
This skill legitimately forwards user queries to a remote job-listing API and returns the response. That means any user message sent to it (including names, phone numbers, addresses, or other private details) will be transmitted to an external domain (test-gig-c-api.1haozc.com) of unknown provenance. Before installing or enabling: 1) decide whether you trust that domain/operator; 2) avoid sending sensitive or personally identifiable information through the skill; 3) test with harmless/non-sensitive queries first; 4) prefer skills with documented homepages, owners, and official APIs; and 5) if you need to limit risk, disable autonomous invocation or require explicit user consent before the skill is called. The absence of credentials and lack of provenance make this higher-risk for privacy/exfiltration, though the behavior itself is coherent with the stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk979xgfh7w03e1pegezbq6b5ns84shmw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments