Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
芊云VR全景运营小助手
v1.0.0全景 VR 作品管理技能,覆盖账号登录配置(uid/token)、作品、素材、场景、热点、配乐、语音讲解、评分查询与接入指引。用户提出“配置登录信息”、“创建/修改/查看 VR 作品”、“上传素材”、“配置场景与热点”、“给作品加音乐或配音”、“查看评分”、“生成接入代码”等需求时使用。
⭐ 0· 74·0 current·0 all-time
bytianming@tianming3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (9kvr VR panorama management) match the code: tools for works, media, scenes, hotspots, music, voice, scores, and account uid/token configuration. Requiring a local 'vr-api' client to forward requests is plausible for this purpose, but the code implements an implicit installer that downloads a native client (executable) into ~/.9kvr/client which is not surfaced in the skill metadata or install spec — an unexpected side effect for an instruction-only skill.
Instruction Scope
SKILL.md and prompts instruct the agent to accept uid/token and to use the vr-api client (examples show running `vr-api -login -uid <uid> -token <token>`). The runtime code reads/writes session data at ~/.9kvr/auth/vr-session.json and may read environment variables (API_TIMEOUT, AUTH_TOKEN, AUTH_UID, VRAPI_CDN). That file and env usage are relevant to the purpose (storing authentication) but were not declared in the metadata; the prompting enforces subprocess-based login and strict formatting rules which give the agent explicit instructions to call local commands.
Install Mechanism
Although the skill declares no install spec, the API client will automatically download a native executable from a domain (DEFAULT_VRAPI_CDN = https://async.he29.com/public/app/mcp/cli) into ~/.9kvr/client and set it executable. The code attempts .gz extraction or raw download and writes the binary to disk. Silent download-and-execute of a native binary from a third‑party CDN is a high-risk install pattern and should be considered suspicious unless the domain and binary are verified.
Credentials
Metadata lists no required env vars or primary credential, yet the code reads environment variables (API_TIMEOUT, AUTH_TOKEN, AUTH_UID, VRAPI_CDN) and will accept uid/token input to perform login and persist a session. The skill will persist auth to ~/.9kvr/auth/vr-session.json. Requesting or using uid/token is reasonable for this service, but the lack of declared credentials and the potential for the native client to perform arbitrary network I/O makes the credential access more sensitive than the metadata indicates.
Persistence & Privilege
The skill creates and uses persistent directories under the user's home (~/.9kvr/client, ~/.9kvr/auth, ~/.9kvr/skills/cache), stores a session file, and executes a downloaded native client via subprocess. While not 'always: true', this grants the skill persistent disk presence and the ability to execute privileged native code on the host — a material privilege that should be explicitly disclosed and accepted by the user.
What to consider before installing
This skill otherwise looks consistent with its stated VR management purpose, but it silently downloads and runs a native 'vr-api' client from https://async.he29.com into ~/.9kvr and persists session files (uid/token) under ~/.9kvr/auth. Before installing or using it:
- Verify the download domain and binary (async.he29.com / the vr-api client) out-of-band — confirm it's the official 9kvr provider and inspect the binary if possible.
- If you cannot verify the binary, do not allow the skill to run on sensitive machines; instead run it in a sandbox/VM or use a disposable account.
- Be aware the skill will store credentials in ~/.9kvr/auth/vr-session.json; use a least‑privilege account or rotate credentials after testing.
- Ask the publisher to explicitly declare the env vars and the implicit install behavior in the metadata (VRAPI_CDN, AUTH_UID/AUTH_TOKEN usage, directories written).
- If you need higher assurance, request source-of-truth (signed releases, checksums, or a trusted package host) for the native client rather than allowing silent downloads.src/tools/develop.py:595
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972rmzjesmhxm3ervxy9w9g8d83tamd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.