Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
China Research
v1.0.0国内社交媒体调研工具。触发条件:(1) 用户想了解某个领域的真实需求 (2) 用户想调研国内市场机会 (3) 用户想做产品需求验证 (4) 用户问"最近国内XX有什么动态" (5) 用户提及"国内调研"、"市场调研"、"用户反馈
⭐ 0· 70·0 current·0 all-time
by云峰@wuyunfeng8
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to perform web searches across Chinese platforms and its instructions use the 'mcporter' tool to call connectors (glm-search.webSearchPrime / tavily-search). However the skill metadata declares no required binaries or tools. Either the runtime must already provide mcporter and those connectors, or the skill is missing a declared dependency — this is an incoherence that affects whether the skill can perform its stated purpose.
Instruction Scope
Instructions are narrowly scoped to searching public platforms (site: queries), extracting top results, and producing a sourced report — which fits the stated purpose. However the SKILL.md explicitly routes all searches through third-party connectors (glm-web-search, tavily-search) invoked via 'mcporter', which means user queries and topics will be forwarded to whatever endpoints back those connectors. The skill does not document or disclose those endpoints, credentials, or privacy/retention behavior.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — nothing will be written to disk by the skill package itself. That is low-risk, provided the runtime environment supplies the tools the instructions assume.
Credentials
The skill declares no environment variables or credentials, but its instructions rely on external search connectors that often require API keys or configuration. The metadata does not declare those credentials (primaryEnv or requires.env). This omission could hide required secrets or make behavior dependent on platform-specific connectors; users should verify what credentials the runtime's mcporter connectors need and where queries will be sent.
Persistence & Privilege
The skill does not request persistent presence (always: false) and has default autonomy settings. It does not attempt to modify other skills or system settings in the provided instructions.
What to consider before installing
This skill appears to do what it says (search Chinese social platforms and produce a sourced report), but before installing or enabling it confirm the following: (1) the runtime must provide 'mcporter' and the named connectors (glm-search.webSearchPrime, tavily-search) — ask the publisher which binaries/connectors are required or declare them in the skill metadata; (2) identify exactly which external services will receive your search queries (the connectors' endpoints) and review their privacy/retention policies — your search terms (possibly sensitive) will be sent to those services; (3) verify whether any API keys or credentials are needed for the connectors and where those secrets will be stored; (4) ensure the intended scraping/search behavior complies with target platforms' terms of service; and (5) if you require stronger privacy, consider running searches through a trusted, auditable search provider or doing manual sampling instead. If the publisher can confirm the mcporter/connectors are internal and that no external third-party endpoints or undisclosed credentials are involved, the remaining issues are lower risk.Like a lobster shell, security has layers — review code before you run it.
latestvk971y4128vjbaqh7af9zatram583rpq7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.