ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

用天气可视化你的心情!基于 AI 情绪分析,将文字转化为天气图标 + 治愈文案。

v1.0.0

情绪分析 CLI 技能。当用户说"mood"、"心情"、"情绪"、"分析情绪"等关键词时触发,调用 mood CLI 工具分析文本情绪,返回天气图标 + 治愈文案。

1· 77·0 current·0 all-time
by@wanwan2qq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to call a local 'mood' CLI and use a DeepSeek API key; requiring DEEPSEEK_API_KEY and a 'mood' binary is coherent with that purpose. However, the bundle does not include the 'bin/mood' executable or a help.js referenced in skill.json; instead the install script runs `npm install -g mood-weather-cli` to obtain the CLI. The skill also documents many channel-specific env vars (DINGTALK_USER_ID, WECHAT_USER_ID, etc.) that are not declared in requires.env — this is extra scope beyond the declared requirements.
!
Instruction Scope
SKILL.md instructs the agent to read ~/.mood-weather-cli.env and several environment variables for automatic user identification (including channel-specific vars) which are not declared in the skill metadata. skill.json's showHelp/action commands point to `node ~/.agents/skills/mood-cli/help.js` (a path/file not present in the bundle) — executing or depending on that file could run arbitrary code. The skill will also transmit user text to the external DeepSeek service (expected) but will perform health checks that may surface config values (examples show revealing 'sk-xxxx...xxxx').
!
Install Mechanism
There is no formal install spec for OpenClaw, but the bundle includes scripts/install.sh which installs the CLI by running `npm install -g mood-weather-cli`. That step fetches and executes remote npm package code (including potential postinstall scripts) not included in this package. Also, the local package.json in the bundle claims a bin path but the corresponding bin/help.js is not present in the release files — indicating the bundle is incomplete and relies on the external npm package.
!
Credentials
The only declared required env var is DEEPSEEK_API_KEY, which is reasonable for a DeepSeek-backed analysis. But SKILL.md documents many additional environment variables for user identification (MOOD_USER_ID, DINGTALK_USER_ID, WECHAT_USER_ID, TELEGRAM_USER_ID, DISCORD_USER_ID, SLACK_USER_ID) and system username fallback; these are not declared in requires.env. The skill's healthchecks and example outputs also indicate the API key value may be shown in outputs, which could risk exposing secret values in logs or UI.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation settings. It does not request elevated privileges or permanent 'always' presence. It does perform local installation steps (via the included install script) but does not modify other skills or system-wide agent settings in the provided files.
What to consider before installing
Before installing or enabling this skill, consider the following: - The bundle is incomplete: the package references a local CLI ('mood') and a help.js under ~/.agents/skills/mood-cli/, but those files are not included here. The install script will run `npm install -g mood-weather-cli` to fetch the real CLI from npm — review that npm package (its repository, versions, and postinstall scripts) before running it. - The skill will send user text to an external service (DeepSeek) using DEEPSEEK_API_KEY. Only provide keys with appropriate scope/limits and avoid using high-privilege or long-lived production keys. Be aware healthcheck examples may display key fragments — check whether the real CLI logs or outputs secrets. - SKILL.md mentions reading many channel-specific environment variables (DINGTALK_USER_ID, WECHAT_USER_ID, TELEGRAM_USER_ID, etc.) that were not declared. If you have sensitive IDs or tokens in env vars, verify the CLI does not read or transmit them unless necessary. - If you want to proceed: inspect the npm package content (https://www.npmjs.com/package/mood-weather-cli or its repository) and any postinstall scripts, run the CLI in a sandbox or container, and rotate the API key after testing. If you cannot review the remote package, treat this skill as higher risk and avoid installing it on sensitive hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rmww6c32m81wzrw275zz5h83fn64

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌤️ Clawdis
Binsmood
EnvDEEPSEEK_API_KEY

Comments