ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Media Saber 云助手

v3.0.202604030848

在 Media Saber MCP 中运行云存储和下载任务,包括 115 转移和磁力/ed2k 离线下载。

0· 28·0 current·0 all-time
by逍遥乐@xylplm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md and skill.json both describe needing an MCP endpoint URL and an API_KEY (and to read/write ~/.claw/mcpServers.json), which is coherent with a Media Saber MCP integration. However the top-level registry metadata supplied to the evaluator (Requirements: 'Required env vars: none', 'Homepage: none') contradicts the skill.json/SKILL.md. This mismatch between declared registry requirements and the skill's own manifest/instructions is unexpected and should be clarified.
Instruction Scope
Runtime instructions are limited to configuring the MCP endpoint, storing the API key either in an OpenClaw config file (~/.claw/mcpServers.json) or an environment variable, and submitting download/cloud tasks to the specified MCP service. The SKILL.md does not instruct reading unrelated filesystem locations or exfiltrating data to third parties. It does instruct storing a sensitive API key locally and recommends secure file permissions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write or execute. That is low-risk compared with skills that download and run archives or packages.
Credentials
Requesting an MCP endpoint URL and an API key is proportionate to the declared functionality. The skill requests read/write access to ~/.claw/mcpServers.json to store the endpoint and key, which is expected but sensitive. The main concern is the registry metadata mismatch which initially listed no required env vars; confirm which view is authoritative. Ensure you provide a least-privilege API key (not a full admin key).
Persistence & Privilege
The skill does not request 'always' privilege, does not modify other skills' configs, and only asks to read/write its own OpenClaw config path. Default autonomous invocation is allowed (platform default) but not unusual here.
What to consider before installing
This skill appears to do what it says — control Media Saber MCP tasks — but two mismatches should make you pause: (1) the registry metadata you were shown claims no required environment variables or homepage, while the skill's own SKILL.md and skill.json clearly require an MCP_ENDPOINT_URL and an API_KEY and list a homepage. Ask the publisher (or the registry) to explain the discrepancy before installing. If you proceed, only connect to MCP endpoints you control or fully trust, use a least-privilege API key (not an admin key), prefer HTTPS, restrict ~/.claw/mcpServers.json file permissions (e.g., 600), and rotate/revoke the key if you suspect misuse. If you cannot verify the publisher or the endpoint, test the skill in an isolated/sandboxed environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9793yqxqgv5bcx3yh97r68wqx844nem

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Media Saber 云助手

为云任务操作使用此技能。

🔐 安全性和权限声明

本技能需要以下权限和凭证,确保完全透明:

所需凭证

  • MCP_ENDPOINT_URL: Media Saber MCP 服务的实际地址

    • 示例:http://localhost:22698/message
    • 敏感性:(地址通常是内部网络或已知地址)
    • 用途:连接到 Media Saber MCP 服务

  • API_KEY: 用于验证与 Media Saber MCP 服务的连接

    • 存储位置:OpenClaw 环境变量或配置文件
    • 敏感性:(不会在日志中显示)
    • 用途:所有文件操作和离线下载

所需网络/文件访问

  • 配置文件修改~/.claw/mcpServers.json
    • 用途:存储 Media Saber MCP 端点配置
    • 访问类型:读和写
    • 操作:OpenClaw 安装时自动配置(需用户确认)

数据隐私

  • 所有文件操作在 Media Saber 系统内执行
  • API Key 从不发送至第三方
  • 下载记录存储在本地

⚠️ 信任验证与最小权限

与外部端点交互时正常执行以下步骤,确保最小权限不超预期:

1. API Key 最小权限原则

  • 需求介于想要接入的是什么 Media Saber 功能(云存储、下载管理等)
  • 尽可能用于数据处理专用 API 密钥
  • 不需要提供完整系统管理权限

2. 端点信任

  • 校验端点是可信的(例如你拥有的属于团队的作地)
  • 不要接入未知组织的远程端点
  • 使用 HTTPS、验证证书等安全配置

3. 配置文件保护

  • ~/.claw/mcpServers.json 配置了你的整个端点信息,包含了敏感的 API 密钥
  • 每次都要确保文件的文件权限(推荐:600)
  • 定期更新、旋转 API 密钥

⚠️ 必须配置:MCP 服务连接

在使用此技能前,您必须配置以下信息

1. MCP 地址配置(需要用户填写)

  • transport: streamable-http
  • endpoint: <MCP_ENDPOINT_URL> (例如:http://localhost:22698/message 或你的其他部署地址)
  • 需要用户填写实际的 MCP 服务地址

2. 认证信息配置(需要用户填写)

请在以下位置之一配置您的 API_KEY

方式 A:OpenClaw 配置(推荐)

~/.claw/mcpServers.json 中配置 Media Saber 连接:

{
  "mcpServers": {
    "MediaSaber": {
      "transport": "streamable-http",
      "url": "http://localhost:22698/message",
      "headers": {
        "Authorization": "Bearer sk-YOUR_API_KEY_HERE"
      }
    }
  }
}

替换 sk-YOUR_API_KEY_HERE 为您的实际 API 密钥

方式 B:环境变量配置

  • 设置环境变量:MEDIA_SABER_API_KEY=sk-your-api-key
  • 该密钥将被自动注入到请求头中

3. 获取 API_KEY

请从 Media Saber 系统获取您的 API 密钥:

  • 访问 Media Saber Web 界面
  • 进入 "设置" → "API 密钥"
  • 复制您的密钥(通常以 sk- 开头)

安全提示

  • ⚠️ 切勿将 API_KEY 硬编码在代码、提示词或文档中
  • ⚠️ 切勿通过不安全的通道传输 API_KEY
  • ⚠️ 定期轮换您的 API_KEY
  • ⚠️ 不要与他人共享您的 API_KEY

主要工具

  • add_offline_download(link)
  • cloud_share_receive(link)
  • test_network()

工作流

  1. 验证链接类型:
    • add_offline_download: ed2k 或磁力链接
    • cloud_share_receive: 115 资源链接
  2. 可选:在任务提交前运行 test_network。
  3. 提交任务并返回服务器响应。
  4. 如果失败,建议重试并检查链接格式。

防护措施

  • 明确拒绝不支持的链接格式。
  • 不要伪造任务 ID 或成功状态。
  • 切勿暴露授权令牌。

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…