China Localization
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill mostly matches its localization/search purpose, but it asks users to configure many account and payment credentials, including Alipay private keys, without clear registry declaration or bounded payment behavior.
Install only if you need the localization/search features and are comfortable reviewing the code. Do not add Feishu, WeChat, DingTalk, AMap, or Alipay credentials unless you have a specific need and understand exactly what access they grant; payment private keys should be treated as high-risk and preferably kept out of a global OpenClaw environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are configured, the OpenClaw environment may hold sensitive payment/account authority that is broader than the implemented functionality explains.
The skill instructs users to configure Alipay payment credentials, including a private key. The included code only stores these values in configuration and does not show bounded payment workflows, approval checks, or clear containment for high-impact wallet/payment authority.
ALIPAY_ENABLED=true ALIPAY_APP_ID=xxxxx ALIPAY_PRIVATE_KEY=xxxxx ALIPAY_PUBLIC_KEY=xxxxx
Do not configure Alipay or other high-impact service secrets unless you have verified exactly how they are used. The publisher should remove unused credential requests or document scoped permissions, sandbox-only behavior, and explicit user approval requirements for any payment/account actions.
A user may provide more account access than the current skill functionality needs.
The package metadata marks many third-party service credentials as required, including messaging, workspace, map, search, and payment credentials, even though registry metadata says no required env vars and the code only implements limited search/weather behavior.
"requiredCredentials": [
"TAVILY_API_KEY",
"FEISHU_APP_ID",
"FEISHU_APP_SECRET",
"WECHAT_APP_ID",
"WECHAT_APP_SECRET",
"DINGTALK_WEBHOOK",
"AMAP_API_KEY",
"ALIPAY_APP_ID",
"ALIPAY_PRIVATE_KEY",
"ALIPAY_PUBLIC_KEY"
]Configure only the minimum credential needed for the specific feature being used. The publisher should align registry metadata, _meta.json, and SKILL.md, and mark unused or optional credentials accurately.
Installing from a remote repository can run code or dependencies that differ from the reviewed registry artifact if the repository changes.
The skill documents a manual GitHub clone and npm install flow rather than a registry install spec, and the path is hardcoded to a developer-specific home directory. This is user-directed setup, but it is still third-party code and package installation.
git clone https://github.com/vincentlau2046-sudo/china-localization.git /home/Vincent/.openclaw/workspace/dev-skills/china-localization-v2 # 安装依赖 cd /home/Vincent/.openclaw/workspace/dev-skills/china-localization-v2 npm install
Prefer installing the reviewed registry package or a pinned release/commit, and adjust the path to your own OpenClaw workspace instead of using the hardcoded example.
Users may trust the skill more than warranted and configure sensitive credentials without checking whether they are necessary.
The documentation uses strong safety/certification language. Although the provided static scan is clean and no hardcoded secrets are visible, these claims should not replace reviewing the requested credentials and integration scope.
🛡️ **安全认证**: 符合 ClawHub 安全规范,无硬编码敏感信息
Treat safety claims as informational only; review the actual credential list, code behavior, and registry metadata before enabling integrations.