ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

omg

v1.0.8

反蒸馏被动检测与告警技能 - 监控请求模式,检测潜在的知识蒸馏行为并告警操作者。仅被动检测,不修改任何响应内容。

0· 72·0 current·0 all-time
byenoyao@wscats·duplicate of @wscats/sjtu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (anti-distillation, passive detection + alerting) align with the declared runtime behavior: read-only request metadata analysis and operator alerts. Requested permissions in SKILL.md (request_metadata_read, alert_send) are appropriate for this purpose. No unnecessary binaries or unrelated credentials are demanded in the instructions.
!
Instruction Scope
SKILL.md describes only reading metadata fields (timestamps, prompt_hash, request_count, parameter_signature, etc.) and explicitly excludes identity and body fields. However: (1) the outer registry metadata provided with this evaluation lists no required env vars and shows disable-model-invocation=false, while SKILL.md lists optional env vars for webhooks/SMTP and sets disable_model_invocation: true — this is an inconsistency about what the runtime will actually do; (2) the promise to 'never read' identity/request bodies is a behavioral assertion the skill cannot independently enforce — it depends on the platform providing only the listed fields; (3) prompt_hash and other metadata can still be sensitive (hashes may be reversible or linkable by brute force), so the claimed privacy guarantees are partly dependent on platform implementation and hashing strength.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk (nothing is written to disk by the skill).
Credentials
SKILL.md declares optional environment variables only for non-default alert channels (webhook URL, SMTP host and credentials, recipient). These are plausible for alert delivery, and SMTP_CREDENTIALS are marked as secret. However, the outer metadata reported 'Required env vars: none' which conflicts with SKILL.md's optional env settings. If a webhook or SMTP is configured, metadata or aggregated alerts could be transmitted off-platform, creating an exfiltration risk of request-pattern metadata; users should ensure they trust the alert endpoint and validate what fields are included in alerts.
!
Persistence & Privilege
SKILL.md sets autonomous: false and disable_model_invocation: true (no autonomous invocation), and always: false — but the registry metadata supplied with the evaluation indicates disable-model-invocation: false (default). This mismatch is material: if the platform honors the registry rather than the SKILL.md, the skill could be invoked autonomously. While the skill claims only passive detection, autonomous invocation combined with external alert channels increases blast radius. There is no request to modify other skills or system settings.
What to consider before installing
This skill's purpose (passive detection of distillation-style request patterns and alerting the operator) is reasonable and the instruction-only format keeps install risk low. Before installing: (1) resolve the inconsistency between the platform/registry metadata and the SKILL.md about autonomous invocation and required env vars — confirm the platform will honor disable_model_invocation: true if you require no autonomous runs; (2) confirm exactly which metadata fields the platform supplies (are prompts actually hashed? what salt/algorithm is used?) because 'prompt_hash' may be reversible for short prompts; (3) avoid configuring webhook or email endpoints you don't fully control or trust — alerts could leak aggregate metadata off-platform; (4) request a test run in a non-production environment and inspect the exact alert payloads and logs to ensure no message bodies or identity fields are being included; (5) if you accept the skill, prefer default 'log' channel (local audit log) over external channels and limit alert recipients. If you need further analysis, provide the platform's permissions model and which of the declared metadata fields it actually supplies so I can reassess.

Like a lobster shell, security has layers — review code before you run it.

latestvk971eeg7t34exe9x1378w30sjh84avht

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments