Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
🇨🇳 China Localization Pack for OpenClaw
v1.0.0中国本地化工具包:中文搜索、天气查询、飞书/微信/钉钉集成。让中国用户零门槛使用 OpenClaw。
⭐ 0· 279·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (Chinese search, weather, Feishu/WeChat/DingTalk/Amap integrations) matches the runtime instructions that call those APIs. However, the registry metadata lists no required credentials or config paths while SKILL.md instructs creating ~/.config/china-localization and storing multiple API keys/secrets there. That metadata–instruction mismatch is concerning because the skill will operate only if you provide sensitive credentials that were not advertised.
Instruction Scope
SKILL.md provides bash/curl examples that read credentials from ~/.config/china-localization and call external APIs (api.tavily.com, wttr.in, open.feishu.cn, api.weixin.qq.com, oapi.dingtalk.com, restapi.amap.com). The instructions do not attempt to read unrelated system files or hidden tokens, but they explicitly instruct storing secrets in plaintext files in your home directory and using them directly in curl commands. Also Tavily is an unfamiliar third‑party endpoint—verify its trustworthiness.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes install-time risk. README suggests optional git clone or ClawHub install, but no automatic downloads or extracted archives are present in the package.
Credentials
The skill effectively requires multiple credentials (Tavily API key, Feishu app id/secret/user token, WeChat app id/secret, DingTalk webhook, AMap key) according to SKILL.md. Yet the skill metadata declares no required env vars or primary credential. Requesting many unrelated secrets (search API + multiple messaging platform tokens) is proportionate to the skill's breadth, but the lack of explicit declared requirements in metadata is an incoherence and a security risk. The instructions also recommend storing these secrets unencrypted in home config files.
Persistence & Privilege
The skill does not request elevated platform privileges (always is false). It is user-invocable and allows autonomous invocation by default (normal for skills). There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill will ask you to provide and store several API keys and tokens in ~/.config/china-localization even though the registry metadata doesn't declare them. Before installing: (1) Verify the publisher and GitHub repo authenticity and whether 'Tavily' is a trusted search/weather provider; (2) Prefer storing secrets in a secure secret store or environment variables rather than plaintext files; (3) Limit token scopes and rotate secrets after use; (4) Inspect any files you add to ~/.openclaw/workspace/skills before running the agent; (5) If you don't need all integrations, only provide tokens for the services you actually use. If you want, ask the skill author to update metadata to declare required credentials and to provide guidance for secure secret storage.Like a lobster shell, security has layers — review code before you run it.
latestvk97aff2df9v7xd1tt8jdeg0yts82rwby
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🇨🇳 Clawdis