Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
radxa docs
v1.0.1Use when one Radxa skill should cover the full offline documentation workflow: detect the current board model, map it to the correct product series, deploy o...
⭐ 0· 50·0 current·0 all-time
by@xzl01
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (detect board, map to series, mirror and query offline Radxa docs) matches the provided assets: a device-detection script, a device-series map, and an SKILL.md describing how to mirror and query docs. Required capabilities (local files, git operations when deploying) are consistent with the purpose.
Instruction Scope
SKILL.md stays within the declared purpose (detect device, map to series, check local mirror, deploy/update on user request, query docs). However, the deployment steps instruct cloning external repositories and running Python build/update scripts — actions that reach outside the stated local-docs scope and will execute code pulled from the network. The skill does not instruct reading unrelated system files beyond normal device detection paths.
Install Mechanism
There is no install spec (instruction-only), but the documented deploy flow clones 'https://github.com/ZIFENG278/MDMaker.git' and runs its Python scripts in a venv, with a fallback to a domestic mirror (gitcode.com). Cloning and executing scripts from external repos (and switching remotes if GitHub fails) means arbitrary code will be pulled and run. This is proportionate to a 'deploy docs' action but is higher-risk: the sources are third-party and not pinned or verified, and the fallback host is a different trust domain.
Credentials
The skill requests no environment variables, no credentials, and no privileged config paths. The device-detection script only reads standard system files (/proc, /sys, hostname) appropriate to detecting hardware. There are no unexplained secret or credential requests.
Persistence & Privilege
always:false and no special privileges are requested. The skill will create and use a per-user directory (~/.openclaw/MDMaker) and a Python venv when the user asks to deploy, which is a reasonable local footprint. The agent-autonomy flag is default (disable-model-invocation:false) — this is normal but means the agent could run the deploy steps autonomously unless callers limit it; consider requiring explicit user consent before network operations and code execution.
What to consider before installing
This skill mostly does what it claims (detect board, map to Radxa series, and query local docs). However, its documented 'deploy' and 'update' steps will clone and execute third-party repositories (MDMaker from GitHub and a GitCode fallback). Before allowing deployment or automatic runs, manually inspect the referenced repositories (https://github.com/ZIFENG278/MDMaker.git and the radxa-docs repo) and the build/update Python scripts for unexpected behavior. If you must run the deploy flow, prefer running it interactively in a sandboxed environment or VM, pin commits/tags instead of cloning HEAD, and avoid enabling any autonomous or always-on behavior that would let the agent perform network pulls and execute code without explicit approval.Like a lobster shell, security has layers — review code before you run it.
latestvk97ab5mbzvhb2c2ryjxezsze7n83m073
License
MIT-0
Free to use, modify, and redistribute. No attribution required.