Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Banjixiaoguanjia

v1.0.0

自动化班级小管家作业截图工具。支持连接 Chrome 调试端口、进入指定课程、滚动查看学生列表、截取学生作业图片。专为小学数学老师设计，用于批量获取学生作业截图进行批改。

⭐ 0· 61·0 current·0 all-time

by@wosuiyu

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill's name/description (screenshot + optional AI analysis for a classroom app) matches the included Playwright scripts that connect to a local Chrome debugging port and capture screenshots. However, the code also contains an embedded API key and direct calls to a remote inference endpoint (dashscope.aliyuncs.com) for image analysis; the package metadata declares no required credentials yet multiple scripts expect or embed API credentials. That mismatch (no declared credential requirement but hard-coded key / remote API usage) is incoherent and concerning.

Instruction Scope

Runtime instructions and many scripts instruct the agent to: connect to a local Chrome CDP, navigate the teacher web app, capture screenshots of students, write temporary Python scripts that embed base64-encoded images, and call an external model endpoint. Capturing and then transmitting student images to an external service is exactly what these instructions do — this is beyond simple local automation and has clear privacy/exfiltration impact. The SCRIPT-GUIDE also describes an automated 3-stage pipeline (capture → download → AI analysis) and states a trigger that runs the full flow without confirmation, increasing risk if run automatically.

✓

Install Mechanism

No external install/downloads are declared; the metadata expects node/npm and Playwright, and there is no packaged install script that fetches arbitrary remote code. The risk from install mechanism itself is low; the security concerns arise from the included code and runtime behavior rather than from an installer that pulls unknown binaries.

Credentials

The registry metadata declares no required environment variables, but many scripts (some archived) read process.env.DASHSCOPE_API_KEY and several production scripts embed a long-lived API key directly in source ('sk-14d72e...') and a non-standard base_url (https://dashscope.aliyuncs.com/compatible-mode/v1). Embedding an API key in repo is inappropriate and unexpected given no declared credentials; it means images get sent to an external service without a clear, explicit credential prompt. That is disproportionate for a screenshot helper and poses data-exfiltration and credential-leak risks.

ℹ

Persistence & Privilege

The skill does not request 'always: true' or system-wide persistence. However, the SCRIPT-GUIDE instructs that a single user utterance should trigger the entire capture→download→AI-analysis pipeline 'without confirmation'. Combined with the hard-coded API key and external network calls, this workflow could result in automated, unexpected transmission of student data if the agent invokes the skill autonomously. Autonomous invocation alone is normal, but combined with the other concerns it increases the blast radius.

Scan Findings in Context

[unicode-control-chars] unexpected: The SKILL.md contained unicode control characters detected as prompt-injection patterns. This suggests the documentation may include characters intended to interfere with or manipulate automatic evaluators or parsers. Combined with other issues (hard-coded API key and external API usage) this raises suspicion.

What to consider before installing

What to consider before installing or running this skill: - Privacy risk: the scripts capture student homework screenshots and then construct Python payloads that embed those images (base64) and send them to an external inference endpoint (dashscope.aliyuncs.com). If you run the analysis step, student images will leave your machine. - Hard-coded credential: the repository contains a hard-coded API key (visible in analyze-homework.js). That key being embedded means either the key is leaked/stolen or the developer expects you to rely on their account. Either way, it's a red flag — you should not rely on or run code that ships with embedded secret keys. - Credential declaration mismatch: the skill metadata declares no required env vars, but some scripts use process.env.DASHSCOPE_API_KEY and others ignore env vars and use the embedded key. This inconsistency is concerning and should be clarified by the author. - Execution behavior: scripts create temporary Python files containing base64-encoded images and call python3 via execSync. Review the code paths that write temp files and remove them to avoid accidental leakage. Running the full pipeline can be fully automated and may run without per-step confirmation per SCRIPT-GUIDE. Recommended actions: 1. Do not run the AI-analysis scripts until you confirm the destination, ownership, and privacy policy of the external API. Ask the author to remove the embedded API key and to require users to provide their own credentials via a documented env var. 2. If you need only local screenshot capability, use only the capture scripts and disable/inspect any analyze/download scripts. Verify those capture scripts do not call any external network endpoints before running. 3. If analysis is required, provision and use your own API key and endpoint (and ensure the skill documents that requirement); prefer sending data to services you control or to on-prem/local models to protect student data. 4. Audit the repo for all occurrences of 'sk-' keys and any other secrets; if the embedded key is a real live credential, consider it compromised and rotate/revoke it. 5. Run the code in a sandboxed environment (isolated VM) and monitor outgoing connections (especially to dashscope.aliyuncs.com and other unknown hosts) before giving it access to real student data. 6. Ask the publisher for provenance (who owns this skill?), a privacy statement, and an explicit list of external endpoints used. If the author is unknown and you cannot verify these, avoid using the analysis features with real student images. If you want, I can point to the exact lines/files where the embedded key and remote API calls appear and list the minimal changes to make the code safer (e.g., replace embedded key with env var, remove auto-run triggers, or stub out external calls).

✗

analyze-homework.js:88