ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Intelligent Customer Segmentation

v1.0.0

客户分层,RFM分析 + 精准营销。

0· 109·1 current·1 all-time
by@yang1002378395-cmyk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (RFM 客户分层与精准营销) align with the listed tech stack (Python + FastAPI) and the SKILL.md install steps (git clone, pip install, python app.py). However the registry metadata lists no required binaries or install spec while the instructions clearly assume git, pip and python are available — that's an inconsistency that should be clarified.
!
Instruction Scope
SKILL.md instructs cloning a GitHub repository and running its Python app (pip install -r requirements.txt; python app.py). Those instructions will cause downloading and executing third‑party code; the file does not request environment variables or file system reads beyond running the app, but executing external code expands the skill's effective scope and risk.
!
Install Mechanism
There is no formal install spec in the registry, but SKILL.md contains manual install commands that fetch code from GitHub. Pulling and running code from an external repo is a high-impact action — GitHub is a common host (reduces some risk) but the repo/maintainer's trustworthiness is not established in the metadata (source/homepage unknown).
Credentials
The skill declares no required environment variables or credentials and SKILL.md does not request any secrets. That is proportionate to a standalone analysis app. Note: the runtime instructions implicitly require network access and local execution privileges (git/pip/python), which were not declared.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide configuration or access to other skills. There is no evidence it modifies other skills or agent settings.
What to consider before installing
This skill appears to be a customer-segmentation tool, but the SKILL.md tells you to clone and run a GitHub repo even though the registry lists no install requirements — that mismatch and the fact you'll execute external code are the main risks. Before installing or running anything: (1) inspect the GitHub repository and commit history to confirm the maintainer and review source code for network calls or credential usage; (2) run in an isolated environment (container or VM) and do not run as root; (3) verify requirements.txt and any startup scripts for unexpected behavior; (4) prefer a published homepage or explicit maintainer identity and a formal install spec from the registry. If you cannot review the repo, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9781nkp6bxjqjfvce3c62m2k98328r1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis

Comments