ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

A skill for OpenClaw that verifies link validity, source credibility, and factual accuracy of online content.

v1.0.0

链接与资讯真实性核验工具,检查链接是否可访问、交叉验证资讯真实性。

0· 164·0 current·0 all-time
by@wumingyu1688-sudo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description and SKILL.md promise cross-source fact verification using web_search and web_fetch, but index.js only performs HEAD/GET requests and returns a page title; there is no search/cross-check implementation. This is a meaningful mismatch between claimed capability and actual code.
!
Instruction Scope
SKILL.md instructs the agent to use `web_fetch` and `web_search` to cross-verify content and to 'search multiple sources', but the runtime code does not call any search tool or implement cross-verification. The instructions are broader than what the code will do at runtime.
Install Mechanism
No install spec or external downloads; this is an instruction-only skill with a small local index.js. No high-risk install mechanism detected.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not ask for sensitive access.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/system-wide privileges or modify other skills. Autonomous invocation is allowed by default but not combined with other red flags here.
What to consider before installing
The skill's documentation promises cross-source fact-checking but the code only checks whether a URL responds and extracts its <title>. Before installing or using it for verification: 1) don't trust it to perform cross-checks — ask the author or inspect/modify the code to actually call web_search and aggregate sources; 2) be aware the skill will fetch any URL you provide (so don't submit private links or links containing secrets); 3) the fetch timeout and HEAD behavior may not behave as expected in some runtimes — test with known URLs; 4) if you need real fact-checking, request/require an implementation that performs authenticated searches (if needed), documents which search endpoints are used, and shows how results are aggregated/weighted. If the mismatch was accidental, ask the publisher to update SKILL.md or the code to align functionality and provide provenance for its searches.

Like a lobster shell, security has layers — review code before you run it.

latestvk97djp3jqds0was5qcr99dvwxx836eh5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments