ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Intelligent Customer Segmentation

v1.0.0

客户分层,RFM分析 + 精准营销。

0· 68·0 current·0 all-time
by@yang1002378395-cmyk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (RFM/customer segmentation) align with the features listed. However, the skill package contains no code and no homepage; the SKILL.md instructs cloning a separate GitHub repository to obtain the implementation, which is a mismatch between the distributed skill and the runtime footprint the skill asks you to run.
!
Instruction Scope
SKILL.md directs the operator to run: git clone https://github.com/openclaw-skills/ai-intelligent-customer-segmentation; pip install -r requirements.txt; python app.py — i.e., download and execute code from an external repo. The instructions do not declare what the repo contains, what network endpoints it contacts, or what credentials/config it will require. That broad instruction to fetch and execute external code is outside the minimal expectations for an instruction-only skill.
!
Install Mechanism
There is no install spec in the package itself; instead SKILL.md instructs cloning a GitHub repo and installing requirements. While GitHub is a known host, the repo is not included in the skill bundle and has not been reviewed here. This effectively delegates install/execution to an external, unvetted codebase (potential for arbitrary code execution).
Credentials
The skill declares no required environment variables or credentials, but the external app it asks you to run may require DB connections, API keys, SMTP, or other secrets not declared. The lack of declared env requirements is therefore incomplete and could lead users to supply credentials without proper justification.
Persistence & Privilege
The skill is not marked always:true and does not request elevated persistence. It is user-invocable and allows model invocation (defaults), which is normal. There is no evidence in the package of attempts to modify other skills or system-wide settings.
What to consider before installing
This skill's description is reasonable, but it contains no code and instructs you to git-clone and run an external GitHub project. Cloning and running that repository will execute unreviewed code on your machine and may require or request credentials. Before installing or running it: (1) review the GitHub repo contents (requirements.txt, app.py, README) to confirm behavior and network endpoints; (2) run in a disposable/isolated environment (container or VM); (3) do not provide secrets (DB passwords, API keys) until you verify why they are needed; (4) prefer skills that bundle audited code or use official package releases; (5) if unsure, ask the publisher for provenance or a packaged release before proceeding.

Like a lobster shell, security has layers — review code before you run it.

aivk977rq0xfj29sg19k43bnt77x983t0falatestvk977rq0xfj29sg19k43bnt77x983t0famarketingvk977rq0xfj29sg19k43bnt77x983t0fa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis

Comments