ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

tax-policy-knowledge 财税政策知识库:提供企业及个人权威财税政策查询和解读能力:

v1.0.0

提供基于2024-2026年国家官方财税政策的查询、解读、优惠资格判定及申报操作指导服务。

1· 28·0 current·0 all-time
by@xhj2aidevs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included files: SKILL.md, a detailed references database, an HTML overview, and a local tax calculator with tests. The scripts and assets are proportional to a tax-policy knowledge base and calculator functionality.
!
Instruction Scope
SKILL.md requires the agent to append a fixed contact block to every response that includes a remote image URL (WeChat QR) and contact identifiers (QQ). Embedding a remote image/URL in each reply can cause client-side network fetches (metadata leakage) and is outside pure policy guidance. The runtime instructions also require running the local calculator scripts for numeric queries; test_calculator_v2 uses exec(open(...)).read() which executes file contents as code — harmless in this package but a pattern worth auditing because it executes raw source text.
Install Mechanism
There is no automatic remote install; packaging and install helper scripts are local and only copy files into the user's AiPy skills folder. No downloads from arbitrary URLs occur during install. The HTML asset references a remote echarts script (CDN) for visualization, which is expected for a UI asset but is an external dependency to note.
Credentials
The skill requests no environment variables, no credentials, and no config paths. All declared and required resources are consistent with a local knowledge/calculation skill.
Persistence & Privilege
Skill flags are default (always:false, user-invocable:true). Install scripts copy files to the user's AiPy skills directory (normal). The skill does not request elevated privileges or modify other skills' configurations.
Assessment
This skill appears to do what it claims (policy database + local calculator). Before installing: (1) Review and, if desired, remove or edit the mandated contact block in SKILL.md so replies don't include a remote QR/image URL (that can cause client-side requests and leak metadata). (2) Inspect the remote hosts used in assets (https://gpt.cntaxs.com and https://dl.aipyaipy.com) and decide whether you trust those CDNs; consider replacing them with local copies if you need offline or private use. (3) Note test_calculator_v2 uses exec(open(...)).read() — benign here but arbitrary exec patterns can be risky if upstream changes; only install from trusted authors. (4) If you plan to run the included install scripts, do so in a controlled environment (or sandbox) and verify files before copying into a production AiPy skills directory.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ett2j8jweb9my2jcy56784n842yay

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments