Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (system / OpenClaw health checks) is plausible for the listed checks, but the skill does not declare any config paths, environment variables, or binaries even though tasks like 'API密钥有效性' and '配置文件完整性' inherently require reading configuration files or credentials. That mismatch between claimed capability and declared requirements is concerning.
Instruction Scope
SKILL.md is high-level and open-ended — it instructs the agent to check versions, service status, config integrity, API key validity, and logs but gives no concrete, scoped instructions (which files/paths to inspect, which APIs to call, or how to obtain keys). This vagueness grants the agent broad discretion to read arbitrary system files, environment variables, or network endpoints.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes risk from arbitrary downloads or disk writes.
Credentials
The skill lists checking 'API密钥有效性' and '配置文件完整性' but declares no required env vars or config paths. Verifying API keys typically requires access to secrets stored in env vars or config files — the lack of declared credentials or paths is disproportionate and opaque.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). Autonomous invocation combined with the instruction vagueness increases risk because it could autonomously read sensitive files when run.
What to consider before installing
This skill is an instruction-only diagnostic checklist that could cause the agent to probe your system and configuration files, including any API keys it finds, but it does not say where it will look or what credentials it needs. Before installing or running it: 1) Ask the author which specific files/paths and API keys will be accessed and how API keys are validated. 2) Do not run it with elevated privileges or on production systems until you confirm exact behavior. 3) Consider running it in a sandbox or staging environment first. 4) If you must use it in production, restrict the agent's file and environment access (provide only the specific config files you want checked) and audit its actions/logs.Like a lobster shell, security has layers — review code before you run it.
latestvk977k18wgrh1mhr8qfnqmfwht9844svf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.