Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Party Building Quarterly
v1.0.2Automatically collects and summarizes the past quarter's key Xi Jinping speeches, articles, and central meeting spirits into a fixed-format party-building an...
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, SKILL.md and included report all align: the skill collects and summarizes recent Xi Jinping speeches/articles from listed official sources. However, SKILL.md specifies a dependency on a 'summarize' CLI (skillhub: summarize-1.0.0) while the registry metadata lists no required binaries or install spec — an inconsistency between what the skill claims it needs and what is declared in the package metadata.
Instruction Scope
Runtime instructions are narrowly focused on web-sourced political materials and require automated searching, extraction, and strict formatting. They do not ask to read local files, environment variables, or unrelated system paths. The phrase '自动搜索最新信息' (automatically search latest information) is somewhat vague and grants the agent broad discretion to crawl/ fetch content from the web, but that behavior is coherent with the stated purpose.
Install Mechanism
There is no install spec in the registry, yet SKILL.md requires the 'summarize' CLI (skillhub: summarize-1.0.0). Because no explicit, verifiable install source or mechanism is provided, it's unclear how that tool would be obtained or validated. If an agent or user attempts to install an unknown CLI from an unverified source, that could lead to arbitrary code execution risk. The origin 'skillhub' is not documented here and no download URL, package manager reference, or checksum is provided.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate given the declared purpose of fetching publicly published political texts from public websites.
Persistence & Privilege
Flags indicate default behavior: not always-on, user-invocable, and allowed to be invoked autonomously (normal). The skill does not request persistent system presence or access to other skills' configs.
What to consider before installing
This skill appears to do what it says (collect and summarize official party materials), but before installing or running it: 1) ask the author to clarify how the required 'summarize' CLI is installed and provide a verifiable source (package name, registry, download URL, and checksum). 2) Do not allow automatic installation of an unknown CLI from an untrusted source—prefer vetted package managers or remove the dependency. 3) If you enable the skill, consider restricting its network access or reviewing fetched results, since it will automatically crawl external websites. 4) If you require higher assurance, ask for an install spec and provenance for all binaries, or request a version of the skill that does not depend on external/unverified tooling. These steps will reduce the risk of arbitrary code execution while preserving the skill’s intended function.Like a lobster shell, security has layers — review code before you run it.
latestvk970py8wccqqq27saxden8kejn841sgh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.