ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Readonly Consumer

v1.0.0

Keep an OpenClaw-style local runtime on the snapshot-first, thin-BFF-first, read-only Campus Copilot path.

0· 55·1 current·1 all-time
byYifeng[Terry] Yu@xiaojiou176
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the SKILL.md all describe a read-only, snapshot-first local consumer; the requested actions (starting local MCP/read-only servers, consuming local snapshots) are coherent with that purpose. However, the SKILL.md expects pnpm-based commands and local example files even though the registry metadata declares no required binaries or config paths.
Instruction Scope
Instructions are narrowly scoped to running local pnpm server commands, exporting a snapshot path, and consuming local JSON snapshots. They do not instruct network exfiltration or access to unrelated system areas. Still, they direct the agent to run local commands and read local snapshot files (which could contain sensitive data).
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. Nothing will be written or downloaded by the skill itself.
!
Credentials
Metadata lists no required environment variables, but the SKILL.md explicitly recommends exporting CAMPUS_COPILOT_SNAPSHOT and implies reliance on local example files and optional mcpServers JSON. This mismatch (undocumented env var / implicit dependency on pnpm) reduces transparency and could cause unintended local file reads.
Persistence & Privilege
always:false and no install/persistence instructions. The skill does not request permanent presence or elevated privileges beyond running local commands when invoked.
What to consider before installing
This instruction-only skill appears to do what it says (start local read-only MCP/consumer processes and read a local snapshot), but the SKILL.md expects pnpm and an environment variable (CAMPUS_COPILOT_SNAPSHOT) that are not declared in the registry metadata. Before installing or invoking: (1) ensure pnpm is installed and you understand/approve any pnpm scripts the skill will run; (2) confirm the example snapshot file(s) referenced exist and do not contain secrets or sensitive student data; (3) run the skill in a sandbox or non-production environment first to observe what local commands it executes; and (4) ask the publisher for an explicit list of required binaries and env vars (and sample commands) to resolve the metadata mismatch. If you need higher assurance, request a version that declares required binaries and env vars in its metadata or provides explicit command listings rather than implicit example references.

Like a lobster shell, security has layers — review code before you run it.

campus-copilotvk97awgf59kv6vwxyaaad13mq4584kcb0latestvk97awgf59kv6vwxyaaad13mq4584kcb0read-onlyvk97awgf59kv6vwxyaaad13mq4584kcb0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments