ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Package Version Tracker

v1.0.1

查询 npm 和 PyPI 包的版本信息、历史发布及依赖,支持版本比较和批量查询,响应快速无须 API key。

0· 184·1 current·1 all-time
by@sxliuyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the included code: the Python script queries public npm and PyPI JSON endpoints and provides version info and a simple version-compare. However the SKILL.md/_meta.json claim support for batch queries and dependency details; the script does not implement batch processing or extract dependency lists as the docs imply.
Instruction Scope
SKILL.md instructs use of public registry APIs and lists rate limits and batch limits. The runtime instructions do not ask for any files, credentials, or unexpected endpoints. But there's a scope mismatch: SKILL.md promises dependency information and multi-package batch queries, while the script only handles single-package queries and returns limited fields.
Install Mechanism
No install spec, no downloads, and one small Python script packaged with the skill. No third-party installers or remote archives are used — low install risk.
Credentials
No environment variables, credentials, or config paths are requested. _meta.json lists 'network' permission which is appropriate for querying public registries.
Persistence & Privilege
Skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or system configuration.
What to consider before installing
This skill appears to perform the described public-registry lookups and does not request secrets or local file access, so it is low-risk in terms of credential exfiltration. However, the documentation overstates features (mentions batch queries and dependency info) that the included script doesn't fully provide — that inconsistency could be sloppy engineering or indicate an incomplete/untested skill. Before installing: (1) review the script if you need batch queries or dependency details (it currently handles single-package queries only), (2) be aware it requires outbound network access to npmjs.org and pypi.org, and (3) if you require the advertised features, ask the author for an updated implementation or patch the script yourself. If you need a security-strong recommendation, treat this as untrusted code until you validate it works as advertised.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f2pmr824h2ngy0nqx4kea3x8305bc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments