Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw 全岗位技能解释器
v1.0.0将ClawHub技能名翻译成通俗中文,帮助不懂英文或技术术语的用户快速理解并安装对应技能。
⭐ 0· 129·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide Chinese plain-language explanations and auto-install matched ClawHub skills. The included index.js implements a simple local match function which fits the translation/matching purpose, but it requires './glossary.json' which is not present in the file manifest (only a markdown glossary is included). The README/MD also claims '50+ built-in' skills and weekly automatic updates; there is no code or install spec implementing network updates or update scheduling. This mismatch between claims and actual artifacts is an integrity/coherence concern.
Instruction Scope
SKILL.md instructs the agent to match user requests, explain skills in Chinese, and 'after confirmation automatically install' the matched ClawHub skill. The instruction to install other skills is plausible for this translator skill, but the skill bundle contains no code that performs installations or network syncs; that behavior would rely on platform-level capabilities not documented here. The instructions also assert automatic weekly updates of the glossaries, but no mechanism or endpoint is provided.
Install Mechanism
There is no install spec (instruction-only), which is the lowest-risk pattern. No downloads, external installers, or binaries are declared. However, the presence of a code file that requires a missing JSON data file is an implementation inconsistency (runtime failure risk) but not an immediate install-time code-execution risk.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The included code does not reference environment variables or network endpoints. This minimal request surface is proportionate to the stated purpose—except for the unimplemented claims about auto-updates/auto-install which would likely require network access or credentials if actually implemented.
Persistence & Privilege
Flags show always:false and user-invocable:true (defaults). The skill can be invoked autonomously by the agent (platform default) but does not request elevated or persistent privileges. There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
Do not install yet — ask the publisher or maintainer to resolve the inconsistencies first. Specifically:
- Confirm why index.js requires './glossary.json' while only openclaw_skill_glossary.md is included; request the missing glossary.json or a code change to parse the markdown.
- Ask how the 'automatic weekly updates' and 'auto-install after confirmation' are implemented: what endpoints are contacted, what authentication is used, and what domains will be contacted. If network updates are needed, get the exact URLs and a privacy/security review.
- Verify the publisher/authority (no homepage and unknown source). Prefer packages with a verifiable source and changelog.
- If you proceed, restrict the skill to manual invocation until the above are clarified, and avoid granting any credentials or broad network access until you understand its update/install mechanism.
These discrepancies look like sloppy packaging rather than overtly malicious code, but they increase the risk of runtime failures or unexpected network activity, so exercise caution.Like a lobster shell, security has layers — review code before you run it.
latestvk97f9sb3x58ykbh2cwg49a1b5d83esxn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.