Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Market Analyzer
v1.0.0ClawHub 技能市场数据分析。热门技能追踪、趋势预测、竞品分析、定价策略。Triggers: skill market, clawhub analysis, market trends, competitor analysis, skill pricing.
⭐ 0· 39·0 current·0 all-time
by@sky-lv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to analyze the ClawHub marketplace, which matches the included code. However the registry metadata declares no required binaries or environment, while the included JS scripts clearly require a Node runtime and the 'clawhub' CLI. The code also hard-codes Windows behavior (process.chdir('C:/') and shell: 'cmd') even though the skill has no OS restriction declared.
Instruction Scope
SKILL.md instructs running node survey.js and node gap.js. Those scripts call execSync to run 'clawhub search' for many terms, write JSON cache files, and print reports. They do not read arbitrary user files, but they do execute a local CLI under the agent's account (which may use stored credentials). The runtime instructions therefore extend into executing local commands and producing on-disk artifacts — more privilege than an instruction-only doc implies.
Install Mechanism
There is no install spec (instruction-only plus code files), so nothing is automatically downloaded; risk is lower than arbitrary remote install. Still, the package contains Node.js scripts that will be executed, so a Node runtime is required but not declared. No external download URLs or extract/install steps are present.
Credentials
The skill requests no env vars, but it runs the local 'clawhub' CLI — which typically uses the user's configured auth/session — meaning the script will act with whatever ClawHub credentials the user has on that machine. The metadata fails to declare this implicit credential usage. Also the code assumes access to C:/ and a Windows shell, which is an environment assumption not documented.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not modify other skills or system-wide configs. It writes cache files inside its own folder and the included cache files are present; autonomous invocation is allowed by platform default but not an additional privilege here.
What to consider before installing
This skill contains Node.js scripts that call the local 'clawhub' CLI and write JSON reports. Before installing or running it: 1) Verify you have Node.js and a safe, up-to-date 'clawhub' client; 2) Understand that running the scripts will execute commands as your user (the 'clawhub' CLI will use any credentials/sessions stored on your machine); 3) Note the code assumes Windows (process.chdir('C:/') and cmd shell) — run in a Windows sandbox/VM or adapt the scripts for your OS; 4) Inspect the two JS files (survey.js, gap.js) yourself — they are short and readable — and run them in an isolated environment first; 5) Be aware there is a missing report.js referenced in SKILL.md and minor bugs (e.g., a logical precedence bug in gap.js) indicating it may be a draft. If you cannot review code, avoid giving this skill elevated or always-on privileges and run it only in a controlled environment.skill-market-analyzer/gap.js:26
Shell command execution detected (child_process).
skill-market-analyzer/survey.js:55
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk975fvp14e8r0cxwrketewn57984mh0t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.