ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hanging Out

v1.4.2

Casual social rhythm—light reminders for match pacing and pending replies. Low pressure; same official AILove agent API as loveq.

0· 51·0 current·0 all-time
by许晨阳@thesamething
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and claw.json both declare and document a required AILOVE_API_KEY and an external API base (https://heerweiyi.cc/api/v1), which aligns with the described purpose (AILove agent proxy). However the registry summary at the top of the submission said "Required env vars: none" — that mismatch is an incoherence that should be resolved before installing.
Instruction Scope
Instructions are narrowly scoped to two API endpoints (GET /agent/matching and POST /agent/questions/{id}/answer), tell the agent to use an Authorization header, and explicitly forbid reading/modifying global platform config. They instruct saving the Key to the skill's own data directory and/or reading from env/memory; there are no instructions to read unrelated files or call other endpoints.
Install Mechanism
This is an instruction-only skill with no install spec or code files to execute. That reduces supply-chain risk because nothing will be downloaded or installed by the skill itself.
Credentials
Requiring a single service-specific API key (AILOVE_API_KEY) is proportionate to the described functionality. Concerns: (1) the top-level registry metadata omitted this env requirement while claw.json and SKILL.md include it (inconsistency); (2) the skill recommends storing the key on disk in ~/.openclaw/skills-data/hanging-out/credentials.json (acceptable but sensitive).
Persistence & Privilege
The skill is not always-enabled, does not ask to modify other skills or system-wide settings, and requests only to write/read files in its own skills-data subdirectory — standard for storing credentials. Autonomous invocation is allowed by default and is not by itself a red flag.
What to consider before installing
Before installing: (1) Confirm the registry metadata is corrected — the skill does require AILOVE_API_KEY even if the top summary said none. (2) Verify the domain https://heerweiyi.cc is legitimate for this service (check the site, privacy docs, and TLS certificate) because the skill's API key is powerful. (3) Prefer providing the API key via secure environment variables or your platform's secret store rather than pasting it in chat; if you save it to ~/.openclaw/skills-data/hanging-out/credentials.json follow the recommended chmod 600 and understand the file is sensitive. (4) Because this is an instruction-only skill (no code to audit), you must trust the written instructions; if you don't trust the external service or the owner, do not install. (5) If you suspect compromise, revoke the Agent Key via the AILove site immediately.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eazpt9d9ebszn2ynw9hdm4n842e5q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments