ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

错敏信息检测

基于FastAPI的文本错敏信息检测服务,识别敏感词、错别字及规范表述问题,提供RESTful API接口调用。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 194 · 0 current installs · 0 all-time installs
by@1227323804
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description claims a FastAPI-based RESTful service, but the code is an instruction-style Python module exposing a run(params) entry — there is no FastAPI app or REST server. That mismatch between advertised runtime (a REST API) and the provided code is incoherent and should be clarified. Other aspects (posting content to a UCAP endpoint to perform detection) are consistent with a 'sensitive-check' purpose, but the FastAPI claim is false.
!
Instruction Scope
SKILL.md is minimal and does not disclose key runtime behavior: main.py will (a) treat inputs that look like URLs by launching a headless Chrome via Selenium and fetching the page (dynamic rendering), and (b) POST the fetched or provided content (and userKey) to an external endpoint (https://safeguard-pre.ucap.com.cn/...). The skill therefore performs arbitrary outbound web fetches and transmits fetched page contents to a third-party service — this is broader scope than the SKILL.md implies and has SSRF/privacy/networking implications.
Install Mechanism
There is no install spec (instruction-only skill), but the package includes requirements.txt listing selenium and related HTTP libs. The code expects a Chrome browser + chromedriver available at runtime (webdriver.Chrome()), but the package provides no instructions to install or configure the browser/driver. That missing step may cause runtime errors and suggests incomplete packaging.
!
Credentials
The skill does not request environment variables, but it requires the caller to provide a userKey parameter which is sent to an external pre-production endpoint along with any content or fetched page HTML. The code disables SSL verification on that POST (verify=False) and also adds browser flags to ignore certificate errors — these weaken transport security and increase the risk of leaking sensitive input or man-in-the-middle issues. Requiring a 'userKey' param is expected, but sending arbitrary page contents out and disabling SSL checks is disproportionate unless explicitly justified.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false), does not modify other skills or system configs, and does not require elevated platform presence. It does, however, expect to launch a browser process which is a runtime privilege but not encoded as a platform-level 'always' flag.
What to consider before installing
Before installing or invoking this skill, consider: (1) The description promises a FastAPI REST service but the package is a module with a run(params) entry — ask the author which interface is intended. (2) If you pass a URL, the skill will spin up a headless Chrome (via Selenium) and fetch the page; that allows the skill to access arbitrary internal or external URLs (SSRF risk). (3) The skill sends the content (or fetched page HTML) and the provided userKey to https://safeguard-pre.ucap.com.cn — a pre-production external endpoint — and SSL verification is explicitly disabled, which is a transport-security and privacy concern. (4) The package requires Selenium but gives no guidance for installing Chrome/ChromeDriver; running it may fail or unexpectedly try to execute a browser on the host. (5) SKILL.md is vague and points to another install URL (clawhub.ai) which looks like a placeholder — verify the canonical source first. Recommended actions: do not supply real sensitive data or production credentials to this skill until you confirm the endpoint and obtain an explanation for verify=False; request the author to (a) correct the description to match implementation, (b) document browser/driver prerequisites, (c) remove or justify disabled SSL verification, (d) add an allowlist for fetchable domains or remove URL-fetch behavior, and (e) make SKILL.md explicit about where user data is sent. If you must test, run the skill in an isolated environment (no access to private networks) and with non-sensitive test data.

Like a lobster shell, security has layers — review code before you run it.

Current versionv8.0.5
Download zip
latestvk9794mhy9zf3af6t25tzvqnnbd830wxwpythonvk974gjpe5t5w4k4bhfjrm20eq582nqaksensitive-checkvk9794mhy9zf3af6t25tzvqnnbd830wxwucapvk974gjpe5t5w4k4bhfjrm20eq582nqak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

  1. 安装https://clawhub.ai/xxxx/sensitive-check-skill 这个技能
  2. 调用错敏信息检测技能,传入参数 userKey=xxxx,content=xxxx

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…