Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
领星 ERP
v1.0.0Integrate with Lingxing ERP to query today's orders, product inventory, and retrieve product lists via OpenClaw.
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description promise (Lingxing ERP queries) aligns with the code: the implementation signs requests and calls Lingxing's API to fetch today's orders. However, the registry metadata claims 'Required env vars: none' while SKILL.md and main.py clearly expect ACCESS_KEY and SECRET_KEY — an inconsistency in what the skill declares vs what it actually needs.
Instruction Scope
SKILL.md lists three capabilities (today's orders, inventory, product list) but main.py only implements get_today_orders. The runtime instructions and code only access the configured BASE_URL and credentials and do not read other files or unexpected environment variables, but the missing implementations and mismatch between documentation and code are scope/integrity concerns.
Install Mechanism
No install spec (instruction-only plus a small Python file). This minimizes install-time risk. The code uses the 'requests' library but no installer is provided — not a security risk but could cause runtime failures if the runtime lacks requests.
Credentials
The skill legitimately requires ACCESS_KEY and SECRET_KEY to talk to the Lingxing API (proportionate). However, the registry metadata advertises no required env vars/credentials while SKILL.md and main.py require them — this discrepancy is suspicious and could lead to misconfiguration or hidden credential handling.
Persistence & Privilege
The skill does not request persistent presence (always=false), does not modify other skills or system settings, and does not write to disk beyond normal execution. Autonomous invocation is allowed by default but is not combined with other high-risk factors here.
What to consider before installing
What to consider before installing:
- The code itself only implements get_today_orders; SKILL.md claims inventory and product-list features that are not present. Don't assume those features exist without asking the publisher.
- The skill requires ACCESS_KEY and SECRET_KEY (used to HMAC-sign API calls) — that's expected for an API integration, but the registry metadata incorrectly lists no required env vars. Confirm how/where you'll provide credentials and whether the platform will store them securely.
- Source and homepage are missing. That reduces trust: prefer skills with a verifiable publisher or project page. Consider requesting the publisher's identity or audit trail before using production credentials.
- Test with limited-scope or read-only API keys first. Monitor network traffic and API use after enabling the skill.
- If you need inventory/product-list functionality, ask the author for an updated release; do not rely on undocumented behavior.
If you want, I can draft questions to ask the publisher or propose a minimal test plan to validate behavior safely.Like a lobster shell, security has layers — review code before you run it.
amazonvk972wb1xsj94c8w7rthf2x67r183qb6yerpvk972wb1xsj94c8w7rthf2x67r183qb6ylatestvk972wb1xsj94c8w7rthf2x67r183qb6ylingxingvk972wb1xsj94c8w7rthf2x67r183qb6yordersvk972wb1xsj94c8w7rthf2x67r183qb6y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.