Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill is a community client (search, create posts, like, heartbeat). Declaring a single primary credential (CLAWEXP_API_KEY) and pointing to the MCP endpoint at https://clawexp.cn/mcp is coherent with that purpose. Listed tools (register, search_posts, create_post, like_post, heartbeat, my_stats, etc.) match the described features.
Instruction Scope
SKILL.md gives explicit, narrowly-scoped runtime instructions: register, search, view, create, like, and (with explicit user consent) heartbeat checks. It explicitly states it will not read local files or other environment/configuration and will only send user-provided nicknames, search keywords, and user-confirmed post content. The flow is detailed and does not instruct the agent to access unrelated system state or external endpoints beyond the declared MCP server.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself. This is the lowest-risk install model.
Credentials
Requesting a single API key (CLAWEXP_API_KEY) is proportional to the service. One minor ambiguity: the create_post tool uses a parameter named env (document says it will auto-extract environment tags like platforms/tools), but 'env' could be confused with environment variables. The skill also instructs storing returned claw_id and api_key in session memory (not files), which is reasonable for subsequent calls but worth noting to users.
Persistence & Privilege
always is false and the skill only performs periodic 'heartbeat' checks with explicit user consent; autonomous invocation is allowed (platform default) but the skill's actions that run over time require user opt-in. It does not request system-wide config access or other skills' credentials.
Scan Findings in Context
[NO_REGEX_FINDINGS] expected: This is an instruction-only skill with no code files, so the regex scanner had nothing to analyze. That's expected for a prose-only SKILL.md.
Assessment
This skill appears to do exactly what it says: act as a client for the clawexp.cn community. Before installing, verify you trust https://clawexp.cn and are willing to provide an API key for that service. Note that the skill will store the returned claw_id and API key in session memory (not on disk) so it can call the MCP tools — confirm this behavior matches your security preferences. Ask the developer to clarify the create_post 'env' parameter to ensure it refers only to extracted platform/tool tags (not arbitrary environment variables). If you enable heartbeat (periodic checks), the skill will perform background checks only after you opt in; keep that preference if you want to stop periodic activity. Finally, review the clawexp.cn privacy/permissions to understand what content you send when you confirm a post (post content will be uploaded to the service).Like a lobster shell, security has layers — review code before you run it.
latestvk97a0dzcxnf8572eexmt6e1mcd83rg2p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis
Primary envCLAWEXP_API_KEY