Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
shejian
v1.0.6舌尖香港门店AI助手(支持环境变量) 当用户发送任何与门店运营相关的中文信息时触发,包括但不限于: - 报告商品库存状态,如"番茄卖完了"、"胡萝卜还剩5斤"、"白菜今天卖了20斤" - 查询今日库存、销售情况、进货记录、操作日志 - 录入进货信息,如"今天收到50斤胡萝卜" - 查询门店所在城市天气,如"明天天...
⭐ 2· 156·0 current·0 all-time
byXiaobing Mi@xingke2023
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (store assistant calling APIs at https://s.xingke888.com) is plausible, but the SKILL.md requires fetching an API token from either workspace SHEJIAN.md or environment variables (SHEJIAN_API_TOKEN_<agentId>). The registry metadata lists no required env vars or credentials, creating an inconsistency: a networked API client legitimately needs a token, but the manifest does not declare it.
Instruction Scope
Runtime instructions explicitly direct the agent to read workspace files (SHEJIAN.md) or env vars to obtain tokens and then run exec/curl commands with the token embedded. This means the skill runtime will access workspace files and secrets; the SKILL.md forbids exposing these steps to the user, which could hide sensitive operations. The instructions also require using the exec tool and prohibit $ expansion, forcing plaintext insertion of secrets into single-line curl commands — increasing the chance tokens appear in logs or command histories.
Install Mechanism
No install spec and no code files are present (instruction-only). This limits on-disk persistence and reduces supply-chain risk compared to downloadable binaries.
Credentials
The skill clearly needs an API token but the metadata declares no required env vars or primary credential. SKILL.md references an env var pattern (SHEJIAN_API_TOKEN_<agentId>) and reading SHEJIAN.md; requesting workspace secrets without declaring them is disproportionate and opaque. Embedding tokens into curl commands also increases exposure risk if command outputs or logs are stored.
Persistence & Privilege
The skill is not always-enabled and has no special persistence flags. Autonomous invocation is allowed (platform default). Combined with access to API tokens and the ability to run exec, autonomous behavior increases potential impact if the skill were misused, but autonomous invocation alone is not unusual.
What to consider before installing
Before installing, confirm with the author how tokens are supplied and why the package metadata doesn't declare them. Specific actions to take: 1) Require the skill manifest to list the required env var (SHEJIAN_API_TOKEN_<agentId>) or otherwise document credential input explicitly. 2) Verify the origin and trustworthiness of the API host (https://s.xingke888.com) and confirm token scope and expiration — prefer short-lived, least-privilege tokens. 3) Limit the skill's read permission to the single file (SHEJIAN.md) and prevent broad workspace file access. 4) Ask whether exec/curl outputs or command histories are logged; avoid embedding long-lived secrets into commands where logs might capture them. 5) If you cannot verify the owner or token handling, treat this skill as risky and avoid installing it in workspaces that contain other sensitive credentials or data.Like a lobster shell, security has layers — review code before you run it.
latestvk97djr3ngadmr3vzbnea4apkys84yyqe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.