ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cnc Quick Probe

v1.0.1

CNC快速探明 - 5参数快速收敛。当报价请求参数不全时自动触发,收集材料、数量、精度、表面处理、Ra。收敛度≥80%后自动执行报价。

0· 63·0 current·0 all-time
by@timo2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (collect 5 CNC params and route to a quoting system) aligns with the code and SKILL.md. However main.py inserts an absolute filesystem path (/home/admin/.openclaw/workspace/skills/cnc-quote-system) to import cnc_quote_collector from another skill — this is not declared in requirements and is an environment assumption that reaches outside the skill bundle.
Instruction Scope
SKILL.md instructions are scoped to collecting parameters and routing to the quoting skill. The runtime code only processes user input, parses parameters, updates convergence and formats responses. It does not read arbitrary files or call external endpoints. It does reference context['file_info'] (appending it to input) but does not itself open files.
Install Mechanism
No install spec (instruction-only) and no external downloads. The skill includes local Python files only; nothing is being fetched from the network by this skill itself.
!
Credentials
The skill requests no environment variables or credentials, which is appropriate. But the hardcoded absolute import path implies it expects access to the host's skill workspace (/home/admin/.openclaw/...), giving it implicit dependency on other skill code and data — this is disproportionate unless the runtime environment guarantees the referenced module is legitimate.
Persistence & Privilege
Flags show always:false and normal invocation behavior. The skill does not request persistent/privileged installation nor modify other skills' configuration in the files provided.
What to consider before installing
This skill appears to do what its description says (ask up to 5 CNC parameters and route to a quote system) and it does not request credentials or make network calls in the included code. The main red flag is the hardcoded import path: main.py inserts /home/admin/.openclaw/workspace/skills/cnc-quote-system into sys.path and imports cnc_quote_collector from there. That means this skill will execute code from another skill's location on disk — if that other module is untrusted or replaced, it could change behavior. Before installing or enabling this skill, verify that the referenced cnc-quote-system module is from a trusted source and available in your environment, or change the integration to a declared dependency or a safe, explicit API call. Also test the skill in a sandboxed environment to observe runtime behavior. If you cannot verify the other skill, avoid installing or run with restricted permissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e09mn2dn9qq3qnmn1ygsgb5842g84

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments