ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Check User Fraud

v1.0.0

Query MySQL database to analyze user fraud/shuadan behavior. Use when user asks to check if a user is engaging in fraudulent task completion. Analyzes time i...

0· 291·2 current·2 all-time
by@star1986c

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for star1986c/check-user-fraud.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Check User Fraud" (star1986c/check-user-fraud) from ClawHub.
Skill page: https://clawhub.ai/star1986c/check-user-fraud
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install star1986c/check-user-fraud

ClawHub CLI

Package manager switcher

npx clawhub@latest install check-user-fraud
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, SKILL.md and scripts are coherent: they query a MySQL database and compute fraud indicators. However, instead of declaring or requiring database credentials as configuration or environment variables, the package contains hard-coded DB connection information (host, port, user, password and database) inside multiple scripts and documentation. Bundling active DB credentials in the published package is not strictly necessary for the stated purpose and is a risky distribution practice.
!
Instruction Scope
Runtime instructions tell the agent/operator to run Python scripts that execute many SQL queries across user/account/login/visit/transaction tables and return results containing sensitive fields (mobile, truename, idNo references, billing records). That is within the stated fraud-detection purpose, but the instructions and scripts will retrieve potentially sensitive PII and financial transaction data and also include the remote DB endpoint and credentials directly in the docs — a privacy and disclosure risk. The SKILL.md also says the database name needs confirmation while scripts already embed a database name, indicating sloppy packaging.
Install Mechanism
There is no install script (instruction-only install), which reduces the risk of arbitrary code being downloaded at install time. Nevertheless, the skill ships 11 Python scripts that will run locally and make network connections to the hard-coded RDS host. Lack of an install step is low-risk in isolation, but the presence of ready-to-run scripts with embedded credentials increases operational risk when executed.
!
Credentials
Registry metadata declares no required environment variables or credentials, yet the package embeds a full DB credential set (host rr-*.mysql.rds.aliyuncs.com, port 3389, user oc_gw, password m83KkZV...). The scripts query many tables that expose sensitive PII and financial data. Embedding secrets in code rather than requiring explicit, limited credentials (via env vars or a secrets manager) is disproportionate and a security/privacy red flag. Also, port 3389 is atypical for MySQL (commonly 3306), which warrants additional scrutiny.
Persistence & Privilege
The skill does not request permanent inclusion (always:false), does not modify other skill configurations, and does not include an installer that writes system-wide settings. It simply contains runnable scripts; there is no evidence of privilege escalation or persistence beyond executing the provided scripts.
What to consider before installing
This package appears to do what it says (fraud analysis) but includes hard-coded database credentials and queries that return sensitive user and billing data. Before installing or running: 1) Do NOT run these scripts on a machine with access to other sensitive systems; run in an isolated, network-restricted environment. 2) Verify the origin and trustworthiness of the skill author — there is no homepage or known source. 3) Treat the embedded DB host/credentials as sensitive: confirm whether they are real, revoke or rotate them if they are production credentials, and prefer injecting credentials at runtime via environment variables or a secrets manager rather than using values in code. 4) Confirm you have legal/organizational authorization to query the described data (PII/financial records). 5) Ask the author for proof that the DB endpoint is a sanitized/test instance (or ask for the credentials to be removed and replaced with a configuration template). 6) If you must use the skill, review the scripts line-by-line for any unexpected network calls or data exfiltration, and consider running under network egress restrictions so results cannot be sent to unintended endpoints. Additional information that would raise confidence: confirmation that the RDS host is a non-production/test instance, removal of embedded credentials, and a packaged mechanism that requires the operator to supply DB credentials at runtime (env vars or secret manager).

Like a lobster shell, security has layers — review code before you run it.

latestvk97a187chnrvceawdpsrs5hvyh82ghgt
291downloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0
@star1986c
latest
Download

用户刷单查询

根据userId查询MySQL数据库,分析用户做单行为是否涉嫌刷单。

使用场景

当需要查询用户是否存在刷单行为时,使用此技能:

  • 用户举报某账号刷单
  • 风控系统标记异常账号
  • 定期抽查用户行为
  • 分析做单模式

查询流程

1. 执行查询脚本

python3 scripts/check_fraud.py <userId>

2. 分析维度

脚本会自动分析以下指标:

时间间隔分析

  • 报名到提交的时间间隔
  • 完成时间 < 5分钟: 高度可疑
  • 完成时间 5-10分钟: 中度可疑

发单人集中度

  • 频繁接取同一发单人的任务
  • 同一发单人 > 10次: 高度可疑
  • 同一发单人 5-10次: 中度可疑

任务重复度

  • 多次接取相同任务
  • 重复任务 > 2次: 可疑

置顶刷新状态

  • 接取时任务是否有置顶
  • 未置顶任务比例 > 70%: 可疑(可能通过非正规渠道获取)

3. 风险等级评估

  • 高风险: 2个及以上高风险指标,或完成时间<5分钟占比>50%
  • 中风险: 1个高风险或2个中风险指标
  • 低风险: 无明显异常

数据库配置

  • Host: rr-wz97dxha81orq30j0eo.mysql.rds.aliyuncs.com
  • Port: 3389
  • User: oc_gw
  • Password: m83KkZVLQp2Wg7HgDVb5cRjQ

SQL查询参考

详细SQL语句见 references/ 目录:

  • query_user_records.sql - 查询用户做单记录
  • query_top_refresh.sql - 查询任务置顶状态
  • fraud_analysis_guide.md - 刷单分析指标说明

输出格式

{
  "userId": "用户ID",
  "total_records": 记录总数,
  "records": [...],  // 详细记录
  "fraud_indicators": [  // 可疑指标
    {
      "type": "指标类型",
      "level": "high/medium/low",
      "description": "描述"
    }
  ],
  "summary": {
    "risk_level": "high/medium/low",
    "conclusion": "结论",
    "indicators_count": 指标数量,
    "high_risk_count": 高风险数量,
    "medium_risk_count": 中风险数量
  }
}

注意事项

  1. 需要安装pymysql: pip install pymysql
  2. 数据库名需要确认后填入脚本
  3. 查询结果包含敏感信息,注意保密

Comments

Loading comments...