Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cnc Quote Skill
v1.0.0AI-powered CNC machining quote system with risk detection, material optimization, and multi-channel integration. Built for OpenClaw ecosystem.
⭐ 0· 49·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
SKILL.md and README describe a Python QuoteEngine, RAG-powered model using 1213 records, DashScope AI integration, multi-channel (QQ, email, API) and filesystem-backed configuration. The published bundle contains only docs (no code modules, no data) and the registry metadata at top lists no required env/config. That mismatch (advertised executable capability vs. no code/data and no declared credentials) is incoherent.
Instruction Scope
Runtime instructions tell users/agents to edit ~/.openclaw/config.json to add a DashScope API key, copy the skill into ~/.openclaw/skills, run python -m cnc_quote_skill.import_data and instantiate QuoteEngine() — actions that read/write config and invoke modules that are not present in the package. The SKILL.md thus directs filesystem and credential changes that are not declared by the registry metadata.
Install Mechanism
No install spec is bundled (instruction-only), which lowers direct install risk. The docs reference installing from a GitHub repo (several URLs included). Installing from that external repo would fetch code — that's a normal workflow but it shifts risk to the external source; absence of a packaged install makes the published skill incomplete.
Credentials
The skill instructs adding a DashScope API key and integrating channels (QQ, email, API) but the registry shows no required env vars or primary credential. meta.json lists channels and fs permissions but the top-level requirements list none — requests for unspecified external API keys and channel credentials are disproportionate to what the registry declares and should be explicitly declared before install.
Persistence & Privilege
always:false (normal), but SKILL.md and examples expect write access to user config (~/.openclaw/config.json) and copying into ~/.openclaw/skills; _meta.json also lists fs.read/fs.write permissions. The combination of undocumented filesystem access and missing code/data elevates concern about what would actually run after installation. No 'always:true' privilege is present.
What to consider before installing
Do not install blindly. The package on the registry is documentation-only but claims runnable code and external AI integration; before installing, verify the upstream GitHub repository contains the actual code and that the maintainer is legitimate. Ask the publisher to: (1) provide the Python package/module referenced (cnc_quote_skill) or a valid install artifact; (2) explicitly declare required credentials and config paths (DashScope API key, QQ/email channel creds) and explain how secrets are stored; (3) supply or document the provenance of the 1213 training records. If you must test, run installation in an isolated environment (container or VM), inspect the source code you download, and avoid pasting API keys into public files. If anything asks to upload your OpenClaw config or private keys to a remote endpoint not documented here, stop and investigate.Like a lobster shell, security has layers — review code before you run it.
latestvk979jmjmr6tvah3h3ar0fme9rh84qmf3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.