Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Stainless Client Tracker
v1.0.0专为不锈钢行业设计,管理客户分类、跟进阶段、拜访记录、商机漏斗及自动提醒,提升销售跟进效率。
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The README describes automation (sending messages, calendar events, syncing to Feishu) and example JS APIs (await tracker.addClient...), but the skill bundle contains no code, no endpoints, and declares no required credentials or config. Either the skill is just a spec (documentation) or it omits the actual integration pieces — this mismatch is unexplained.
Instruction Scope
SKILL.md contains data models, feature descriptions, and usage examples, but no runtime instructions for how an agent should authenticate to Feishu/WeChat/SMTP/calendar services or where network calls should go. It does not instruct the agent to read system files or env vars, but it leaves the integration behavior vague and open-ended, giving the agent broad discretion to decide how to implement integrations.
Install Mechanism
There is no install specification and no code files; that minimizes immediate supply-chain risk (nothing is downloaded or written). However, the lack of an install step also means the advertised functionality cannot be executed as-is.
Credentials
The skill advertises multiple external integrations that would normally require credentials (Feishu, WeChat, email SMTP/API, calendar), but requires no environment variables or config paths and declares no primary credential. This under-specification is disproportionate to the claimed capabilities and is a red flag: either credentials would have to be provided ad-hoc (not declared) or the skill can't perform those actions.
Persistence & Privilege
The skill does not request always:true and has no install hooks; it won't be force-included or automatically persist configuration. Default model-invocation is allowed (normal). There are no indications it modifies other skills or system-wide settings.
What to consider before installing
This package looks like a feature spec or README rather than an implemented skill. Before installing or trusting it, ask the author for: (1) source code or a hosted implementation, (2) exact authentication and config requirements for Feishu/WeChat/email/calendar, (3) where customer data is stored and who can access it, and (4) a provenance/homepage or repository to review. Do not supply any credentials (API keys, SMTP passwords, or OAuth tokens) until you can verify the implementation and access controls. If you need these integrations, prefer a skill that explicitly declares required environment variables and provides code or a trustworthy release URL you can inspect.Like a lobster shell, security has layers — review code before you run it.
latestvk97ad1wwv3q02c3bmfrqxcejdn83n7s2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.