Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
suilight
v1.0.0SuiLight知识沙龙 - 多智能体知识协作平台。拥有100位虚拟思想家,覆盖26个领域(科学、哲学、社会科学等),支持跨域讨论、知识沉淀、共识追踪和知识图谱可视化。当用户需要(1)组织多角度知识讨论、(2)创建虚拟思想家角色、(3)构建知识胶囊系统、(4)实现知识图谱、(5)部署Streamlit应用时使用此...
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description claim a Streamlit + FastAPI multi-agent knowledge platform; SKILL.md provides repo URL, Python/Streamlit/FastAPI instructions, example APIs and modules that align with that purpose. Registry metadata lacks a homepage/source entry but the SKILL.md points to a GitHub repo (reasonable but reduces transparency).
Instruction Scope
Runtime instructions are narrowly scoped to cloning the referenced repository, installing its Python dependencies, and running the Streamlit UI and API. They do not instruct reading unrelated local files, harvesting environment variables, or sending data to unexpected external endpoints within the SKILL.md itself.
Install Mechanism
This is an instruction-only skill (no install spec). It tells the user to git clone an external GitHub repo and pip install -r requirements.txt — a common but higher-risk pattern because it executes code pulled from the network. The SKILL does not specify pinned releases or provenance checks.
Credentials
The skill declares no required environment variables, credentials, or config paths. The examples and instructions do not request secrets or unrelated service credentials, so requested privileges are proportionate to the stated purpose.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide privileges. It is user-invocable and allows normal autonomous invocation (platform default). No evidence it modifies other skills or system configs.
Assessment
This skill is coherent: it teaches how to deploy a Streamlit + FastAPI project by cloning a GitHub repo and installing Python dependencies. However, cloning and running arbitrary repositories can run arbitrary code. Before installing or running: (1) review the referenced GitHub repository (owner, recent commits, issues) and inspect the code and requirements.txt for suspicious packages or network/exfiltration logic; (2) run the app in an isolated environment (container, VM) and avoid exposing secret credentials; (3) prefer pinned releases or verified sources rather than a casual git clone of a user repo; (4) verify licensing and any external links (ClawHub, docs) if you need long-term use. If you cannot review the repo, treat it as untrusted code.Like a lobster shell, security has layers — review code before you run it.
latestvk976k79c4zvd71k0hpr65dvthx84ntfk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.