Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
digital-gov-consultant
v1.0.4数字政府应用场景申报顾问及文档生成入口。 使用场景:用户提到"数字政府"、"申报材料"、"四张清单"、"应用场景申报"、 需要编写政府项目需求书、业务清单或架构图、需要专业的数字政府申报指导建议、 希望一键生成符合省级标准的申报文档。 工作流程: 1. 引导用户查看线上示例文档 2. 引导用户描述项目需求 3....
⭐ 0· 59·0 current·0 all-time
bysomebody.@somebodyrepo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md and the included script consistently implement a consultant that sends user requirements to an API and returns a task link. However, the API domain (digital.somebody.icu) is not an official or known vendor domain and there is no homepage or owner information; that raises a question about whether this external service is appropriate/trustworthy for government-related data.
Instruction Scope
The runtime instructions explicitly tell the agent (or user) to run scripts/submit_requirement.py which POSTs the full user-provided requirement text to https://digital.somebody.icu/api/generate. The SKILL.md does not warn that user content will be transmitted off-device, nor does it require user consent or describe data handling/retention—this is a scope/privacy concern because potentially sensitive project details are sent to an external host.
Install Mechanism
There is no install specification (instruction-only), which minimizes install risk. However, the included Python script imports the 'requests' package dynamically but the skill does not declare dependencies—this mismatch may cause runtime failures or hidden attempts to install dependencies later. The script also uses subprocess to call curl.exe on WSL, which is plausible but noteworthy.
Credentials
The skill requests no credentials or environment variables, which is proportionate. Nonetheless it transmits arbitrary user-entered text to an external third party; even without requesting secrets, sending project details externally can leak sensitive information. The target host is a personal-looking domain (somebody.icu) rather than an official vendor or government endpoint, increasing privacy risk.
Persistence & Privilege
The skill does not request persistent privileges (always:false) and does not modify other skills or system-wide settings. It runs only when invoked, which is appropriate for its purpose.
What to consider before installing
This skill will send the full text you provide to https://digital.somebody.icu/api/generate and return a task ID/link. Before installing or using it: (1) verify who operates digital.somebody.icu (organization, privacy policy, TLS cert); (2) do not submit sensitive or confidential project details to this service; (3) note the script requires the Python 'requests' library but the skill doesn't declare or install it—test in a safe environment first; (4) if you need a trusted workflow, consider hosting your own API and using the script's base_url argument, or ask the author for provenance and a privacy statement; (5) run the script in an isolated/sandboxed environment or inspect network traffic to confirm behavior. If you cannot verify the service operator or privacy practices, treat this skill as risky for real government or sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk974y1gv50j9k2emmhdfzp52yx84v981
License
MIT-0
Free to use, modify, and redistribute. No attribution required.