ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

nexua-ai

v1.0.1

Nexus 小程序统一智能助手。整合发布资源/岗位/活动、查询使用报告、智能问答三大功能。当用户说「发布资源/岗位/活动/招聘」「查询 nexus 总结/使用报告/AI使用报告」或询问资源/人、搜索信息时使用此技能。

0· 109·0 current·0 all-time
by@songsh66

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for songsh66/nexus-ai.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "nexua-ai" (songsh66/nexus-ai) from ClawHub.
Skill page: https://clawhub.ai/songsh66/nexus-ai
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nexus-ai

ClawHub CLI

Package manager switcher

npx clawhub@latest install nexus-ai
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described capabilities (post resource, query reports, RAG search) match the network endpoints and functions implemented in scripts/nexus_ai.py (calls to nexus-saas...sh.run.tcloudbase.com and ai.hydts.cn). That is consistent. However the SKILL.md claims a JWT token is stored in scripts/token.txt and required for posting, but the script does not read or send any token parameter. The SKILL.md also references a Windows QR file path (C:\Users\Songsh\.qclaw\workspace\nexus_report_template.png) while the script uses scripts/nexus_qr.png. These inconsistencies reduce confidence that the documentation and implementation are aligned.
!
Instruction Scope
SKILL.md instructs the agent to use a token from scripts/token.txt and to attach a token parameter for posting, but the included script never reads token.txt nor sends a token. SKILL.md and the script disagree about the QR image path. The instructions direct network calls to two external services (the Nexus SaaS endpoint and a third‑party RAG service at ai.hydts.cn); the SKILL.md does not call out privacy implications of sending user queries to a third party. The agent is not instructed to access any unrelated local files or env vars, but the token mismatch is problematic (either documentation is stale or code is missing authentication handling).
Install Mechanism
No install spec; this is an instruction + single script file. No packages are downloaded or written to disk by an installer. Risk from install mechanism is low.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for the visible code. But the SKILL.md claims a JWT token in scripts/token.txt and a Windows report template path; those are not reflected in requires.env and are inconsistent with the script. Also, the script sends user phone numbers and queries to remote endpoints (including ai.hydts.cn), which may be sensitive — lack of declared credential/consent handling is a privacy consideration.
Persistence & Privilege
always is false and there is no claim that the skill modifies other skills or system settings. It does not request elevated or persistent platform privileges.
What to consider before installing
Key things to check before installing or enabling this skill: - Documentation mismatch: SKILL.md says a JWT token is stored in scripts/token.txt and that token is required for posting, but scripts/nexus_ai.py does not read token.txt or send a token. Ask the author which is correct. If a token is actually required, confirm how it will be provided and stored and inspect scripts/token.txt for sensitive data. - Third‑party data flow: The 'ask' feature posts user queries to https://ai.hydts.cn. If you will send user content (including phone numbers or private text), understand that those queries go to that external service. If privacy of queries is important, do not enable the RAG feature until you verify the provider's privacy/security posture or remove that call. - File path inconsistencies: SKILL.md references a Windows QR image path; the script expects scripts/nexus_qr.png. Confirm that the expected QR image exists where the script expects it, and that no unexpected file reads/writes occur. - Test safely: Run the script in a sandbox or isolated environment first. Use non-sensitive test phone numbers and dummy content to observe network behavior (which endpoints are called and what payloads are sent). Monitor network to verify whether any token or other secret is transmitted unexpectedly. - Ask for clarifications or fixes: Request an updated SKILL.md that matches the code (or updated code that matches the docs). Specifically ask whether an auth token is required and where it should come from, and ask the author to document privacy implications of the RAG endpoint. Overall: the skill appears to implement the advertised features, but the documentation/code inconsistencies and the use of an external RAG service justify caution (suspicious).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ewm4wnmybhnhwfyht6y73bs85b625
109downloads
0stars
2versions
Updated 5d ago
v1.0.1
MIT-0
@songsh66
latest
Download

Nexus-AI:Nexus 统一智能助手

功能概览

功能说明触发词
发布资源发布资源/岗位/活动到 Nexus 平台发布、我要招聘、发布岗位、发布活动
使用报告查询 Nexus 小程序使用情况报告查询总结、使用报告、AI使用报告、我的数据
智能问答调用 RAG 智能搜索,查询资源/人/知识搜索、查找、问问、查一下、帮我找

功能一:发布资源/岗位/活动

API 信息

  • 接口地址: https://nexus-saas-45653-8-1317958785.sh.run.tcloudbase.com/job/open-claw-create-job
  • 方法: POST,所有参数作为 Query String 传递

必填参数

参数说明
tokenJWT 认证令牌(存储在 scripts/token.txt,自动读取)
phone用户手机号
title发布内容标题
content发布内容正文/详情

label 自动识别规则

label触发关键词
校招招聘、实习、校招、校园、春招、秋招、应届、管培
投/融资投资、融资、天使轮、A轮、B轮、估值、资金
活动交流活动、交流会、论坛、峰会、沙龙、会议、meetup
置顶推广推广、置顶、VIP、赞助、推广位、广告
需求以上均不匹配时默认使用

执行方式

运行 scripts/nexus_ai.py post --phone <手机号> --title <标题> --content <内容>

输出格式

  • 成功:✅ 发布成功,资源ID: xxx
  • 失败:❌ 发布失败,错误信息

功能二:查询使用报告

API 信息

  • 端点: https://nexus-saas-45653-8-1317958785.sh.run.tcloudbase.com/summary/content_by_phone
  • 方法: POST,phone 作为 Query 参数

执行方式

运行 scripts/nexus_ai.py summary --phone <手机号>

输出格式

  1. 发送文字报告(清理 HTML 标签后的纯文本)
  2. 发送二维码图片:C:\Users\Songsh\.qclaw\workspace\nexus_report_template.png(附件形式)

功能三:智能问答(RAG 搜索)

API 信息

  • 接口地址: https://ai.hydts.cn/ai/rag-stream
  • 方法: POST
  • Content-Type: application/json

请求参数

参数说明必填
query用户的询问内容
mod固定值 coze
identity身份标识(默认使用用户手机号)
session_id会话 ID(可选,有值时放在返回内容第一行)可选

执行方式

运行 scripts/nexus_ai.py ask --query <问题> [--session-id <会话ID>]

输出格式

  • 若有 session_id:返回内容第一行为 session_id,第二行空行,第三行起为实际内容
  • 若无 session_id:直接返回内容

命令行接口(nexus_ai.py)

# 发布资源
python scripts/nexus_ai.py post --phone <手机号> --title <标题> --content <内容>

# 查询使用报告
python scripts/nexus_ai.py summary --phone <手机号>

# 智能问答
python scripts/nexus_ai.py ask --query <问题> [--session-id <会话ID>]

注意事项

  • 所有脚本需在 scripts/ 目录下运行
  • 手机号必须是真实有效的中国大陆手机号
  • 标题建议 5~20 字,内容建议 20 字以上

Comments

Loading comments...