ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Workflow Master

v1.0.0

AI工作流大师,集成内容创作/数据分析/自动化/报告生成的一站式工作流。触发词:'做这个'、'帮我搞定'、'AI工作流'、'自动化'、'批量处理'、'一键生成'、'效率工具'。通过串联多个AI能力,实现复杂任务的自动化完成。

0· 77·0 current·0 all-time
by@windy-001-crypto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims broad capabilities (web scraping, multi-platform publishing, automatic ticket creation, knowledge-base matching). Those capabilities normally require API endpoints and credentials for target services (e.g., 小红书/抖音/公众号、工单系统). The package declares no env vars, credentials, or config paths, which is an inconsistency (useful functionality but missing required integration details).
!
Instruction Scope
SKILL.md instructs the agent to perform actions that imply reading external URLs/files and interacting with remote services (网页爬取/文件读取/知识库匹配/自动创建工单/发布到多平台). The instructions are high-level and permit the agent to 'infer' missing inputs, which is vague and could lead to broad data collection or attempts to access unknown local/remote resources without explicit boundaries.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes on-disk code execution risk and there are no download URLs or package installs to review.
!
Credentials
Declared requirements list no environment variables or credentials, yet the workflows describe actions that typically require secrets (platform API keys, service tokens, ticketing system credentials). The absence of declared credentials is disproportionate to the claimed capability and leaves unclear how the skill will authenticate to external systems.
Persistence & Privilege
Flags show always:false and no special OS or persistent hooks. The skill does not request permanent presence or elevated platform privileges in the manifest.
What to consider before installing
This skill promises scraping, multi-platform publishing, and automatic ticket creation but doesn't declare how it will authenticate or which endpoints it will use. Before installing or enabling it: 1) ask the publisher how integrations and credentials are supplied and where network/file access occurs; 2) do not provide API keys or admin credentials until you confirm exact endpoints and minimal required scopes; 3) require explicit confirmation in the skill for any action that publishes or creates records (do not allow automatic posting); 4) prefer running it in a controlled environment or with test accounts first; and 5) if you need the automation, request the author to list required env vars, config paths, and safe defaults so you can review them.

Like a lobster shell, security has layers — review code before you run it.

aivk975b83hvh09ttpz41psxz321x83mwqgautomationvk975b83hvh09ttpz41psxz321x83mwqgcontentvk975b83hvh09ttpz41psxz321x83mwqggeneratorvk975b83hvh09ttpz41psxz321x83mwqglatestvk975b83hvh09ttpz41psxz321x83mwqgproductivityvk975b83hvh09ttpz41psxz321x83mwqgworkflowvk975b83hvh09ttpz41psxz321x83mwqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments