Skillv1.0.0

ClawScan security

可以通过NPL自然语言和轻云API接口进行对话，调试轻云API不再那么困惑 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 5:52 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and API examples match its stated purpose, but its installation guidance recommends downloading a .skill file from a non-official/placeholder domain and instructs writing it into the user's skills directory — a supply-chain risk that doesn't align with the otherwise instruction-only nature of the package.
Guidance: The skill's API usage guidance appears correct for Qingyun/Lightcloud and the required secrets (appId, eid, secret) match the documented API. However, be cautious about the installation instructions: they recommend downloading a .skill file from an external URL (a placeholder in the document). Installing a .skill by copying it into ~/.claude/skills or ~/.openclaw/skills gives that file runtime access when the agent loads skills. Only install .skill files from a trusted, verifiable source (official repo or publisher). Before copying, open the .skill file in a text editor to inspect its contents, confirm the download host is legitimate, and prefer to manually run the provided curl/PowerShell examples yourself (without adding a new skill) if you only need usage guidance. Treat your Lightcloud app secret as sensitive — do not paste it into untrusted third-party UIs or share it. If you want a lower-risk test, call the Lightcloud endpoints directly from your own shell using the example curl/PowerShell commands rather than installing a downloaded skill.

Review Dimensions

Purpose & Capability: noteName/description and the SKILL.md content consistently describe Lightcloud/Qingyun form CRUD and token operations, and all required parameters (appId, eid, secret, accessToken) are relevant to that purpose. However, the SKILL.md also provides download URLs such as https://your-domain.com/skills/lightcloud-api.skill (a placeholder/non-official host), which is unnecessary for an instruction-only skill and raises a distribution/trust question.
Instruction Scope: okRuntime instructions are limited to calling the Lightcloud/Yunzhijia endpoints via curl/PowerShell and describing request/response formats. They do not instruct reading unrelated local files, accessing unrelated env vars, or transmitting data to third-party endpoints beyond yunzhijia.com. The main concern is the step that tells users to copy a downloaded .skill file into ~/.claude/skills (or OpenClaw directory), which, if the downloaded file is malicious, would broaden scope.
Install Mechanism: concernThere is no formal install spec in metadata (instruction-only), but SKILL.md recommends downloading a .skill from an external URL (https://your-domain.com/...) and copying it into the user skill directory. That pattern allows an attacker to distribute arbitrary code via that .skill file; the examples use an unverified/placeholder host instead of an official release or repository. Because the install step involves writing content into the runtime skills directory, this is a supply-chain risk.
Credentials: okThe skill requests no declared environment variables or unrelated credentials. The only sensitive values referenced in the docs are the Lightcloud appId, eid, and secret (and the resulting accessToken), which are necessary for the described API operations — this is proportional to the purpose.
Persistence & Privilege: noteSkill metadata shows normal defaults (always:false, agent invocation enabled). The SKILL.md asks users to place a .skill file in ~/.claude/skills or ~/.openclaw/skills; writing files into a skills directory grants the skill runtime presence and ability to run when invoked. This is expected for a skill, but adds risk if the downloaded .skill is from an untrusted source.