ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw 安装服务

v1.0.0

提供 OpenClaw 一键安装、Channel 配置、心跳任务设置及故障排查的远程安装与配置服务。

0· 382·0 current·0 all-time
by@yang1002378395-cmyk

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yang1002378395-cmyk/clawmart-openclaw-setup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenClaw 安装服务" (yang1002378395-cmyk/clawmart-openclaw-setup) from ClawHub.
Skill page: https://clawhub.ai/yang1002378395-cmyk/clawmart-openclaw-setup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawmart-openclaw-setup

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawmart-openclaw-setup
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (one‑click install, channel config, heartbeat, troubleshooting) align with the SKILL.md steps. Commands shown (node version check, npm install -g openclaw, openclaw init/channel/heartbeat) are consistent with an installer/helper. Concern: the registry metadata lists unknown source and no homepage, yet the SKILL.md contains a cryptocurrency payment address for paid services — that payment detail is outside normal installer metadata and should be verified.
Instruction Scope
SKILL.md only instructs running environment checks, running npm to install openclaw, initializing workspace, adding channels (which legitimately require app IDs/secrets or scanning), and editing a heartbeat file in the user's home directory (~/.openclaw/workspace/HEARTBEAT.md). It does not ask to read unrelated system files or export data. The guidance to change npm registry for Chinese users is reasonable. No commands in the file attempt to exfiltrate or collect unrelated secrets.
!
Install Mechanism
There is no install spec for the skill itself (instruction-only), but it tells users to run npm install -g openclaw. Global installation installs code from the npm registry and can execute arbitrary install scripts; since the skill's source is unknown and no verification instructions are provided, this is a potential risk. The SKILL.md does not point to a verified npm package page or checksum to validate the package before installing.
Credentials
The skill declares no required env vars and does not directly request credentials, which is proportional. However, channel configuration will require service credentials (WeChat/Feishu App ID & Secret, Dingtalk webhook) during setup — that's expected. The presence of a USDT TRC20 address for payment is unrelated to the technical setup and is an out‑of‑band request for funds that should be validated before use.
Persistence & Privilege
The skill does not request always:true and is instruction-only. The actions it recommends will modify the host: global npm package installation and creating/editing files under ~/.openclaw. Those effects are normal for an installer but are persistent changes, so users should be aware and verify the package origin before proceeding.
What to consider before installing
This SKILL.md appears to be a legitimate installer guide, but exercise caution before following its commands or paying money. Actions to take before installing or paying: - Verify the openclaw npm package and its maintainers: check the npm package page and the linked GitHub repository (compare maintainer names, recent activity, issues). Do not install from an untrusted source. - Inspect the package before global install: use npm view, npm pack to download the tarball and inspect its package.json and install scripts; prefer a local or containerized test (or npx) over global install. - Do not send funds to the provided USDT address unless you can independently verify the service provider (official website, company identity, verifiable contact). The presence of a crypto address inside the SKILL.md without an authoritative source is a red flag. - If you must test, do so in an isolated environment (VM/container) and back up important data. Require explicit confirmation for any channel credentials you provide to the tool, and review where those credentials are stored by the openclaw package. - Ask the skill publisher for a canonical homepage or repository link and documentation that matches the commands in SKILL.md; absence of a source/homepage lowers trust.

Like a lobster shell, security has layers — review code before you run it.

chinesevk972g730z0zf1fwds7vzz64a2x82pwemlatestvk972g730z0zf1fwds7vzz64a2x82pwem
382downloads
0stars
1versions
Updated 9h ago
v1.0.0
MIT-0
@yang1002378395-cmyk
chineselatest
Download

创建时间:2026-03-11 服务提供:ClawMart --------------------------fK2oidkwJZDuDuKmlVR3xb--

Comments

Loading comments...