ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

St Ent Mcp

v0.1.2

Search 699pic enterprise photo/video assets, check whether an asset was already downloaded, inspect download records, and generate download links through the...

0· 186·0 current·0 all-time
by@st699pic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description match the included scripts and SKILL.md (search, check downloaded, generate links). However the registry metadata lists no required env vars or binaries, while the runtime instructions and scripts clearly require SERVICE_API_KEY, node, and (for the MCP path) mcporter. That mismatch is incoherent: a skill that needs an API key and mcporter should declare them in its requirements.
Instruction Scope
SKILL.md keeps scope focused on asset search/download workflows and explicitly instructs the operator to review scripts and local mcporter config. The runtime instructions do not ask the agent to read unrelated system files or exfiltrate data elsewhere. One caveat: the instructions default to using a built-in base URL (https://pre-st-api.699pic.com) if SERVICE_API_BASE_URL is not set — the script will call that external endpoint, so users must confirm that endpoint and their API key are correct.
Install Mechanism
There is no install spec (instruction-only with bundled scripts), so nothing is downloaded or extracted by an installer. Included files are small scripts and a Node.js script; no remote install URLs or installer actions are present.
!
Credentials
The scripts require SERVICE_API_KEY (and optionally SERVICE_API_BASE_URL) and expect node and optionally mcporter to be available. The registry metadata, however, declares no required env vars or primary credential and no binaries — this omission reduces transparency and is disproportionate to the declared metadata. The only sensitive item requested is an API key for the service, which is reasonable for this purpose, but it must be explicitly declared so users know what will be accessed.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable. It does not request persistent system privileges or write to other skills' config based on the provided files.
What to consider before installing
This skill's code is consistent with its stated purpose, but its package metadata omits key operational requirements. Before installing or running it: (1) verify you control the SERVICE_API_KEY you will provide (do not use a shared/unknown key); (2) inspect scripts/openapi.js yourself and confirm the base URL (default: https://pre-st-api.699pic.com) is the correct target for your enterprise; (3) ensure node and, if you plan to use the MCP path, mcporter are present and that any local mcporter registration named st-mcp is audited for commands/permissions; (4) ask the publisher to update registry metadata to declare SERVICE_API_KEY and required binaries — absence of those declarations is the primary coherence issue. If you cannot verify the API key ownership or the target endpoint, do not install or run the skill.
scripts/openapi.js:4
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fe3d92e24v9fz2n7sb9zy7182tw2h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments