Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sano Intel · 探针资本
v1.0.0探针资本出品。中国医疗产业情报引擎,覆盖10万+医疗公司、50万+融资事件、109万条专利、全市场临床试验、A/港/美三地行情。查公司/融资/临床试验/专利/赛道热度/二级市场行情。By Probe Capital. Use when user asks about Chinese healthcare/biot...
⭐ 0· 74·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a Chinese healthcare intelligence API and the provided curl examples align with that purpose. However the skill metadata declares no required environment variables while the runtime instructions clearly require a SANO_TOKEN — this mismatch is concerning and indicates the manifest is incomplete or inaccurate.
Instruction Scope
Runtime instructions direct the agent to export and use a secret (SANO_TOKEN) and to call endpoints at http://47.102.196.1:8081 using curl with the token in the X-API-Key header. Using an IP address and plain HTTP means the token would be sent unencrypted over the network; the SKILL.md also points users to an external Feishu link to obtain a token. These are security and provenance risks beyond the normal scope of a query-only intelligence skill.
Install Mechanism
This is an instruction-only skill with no install steps and no code files, which minimizes install-time risk (nothing is written to disk).
Credentials
The only runtime secret the instructions require is SANO_TOKEN, which is proportionate for an API-based service. However the skill metadata does not declare any required env vars while the SKILL.md instructs users to set SANO_TOKEN — this inconsistency increases risk because automated permission checks or user prompts may not surface the need to protect/provide the token. Also, sending that token over HTTP to a bare IP is disproportionate from a security standpoint.
Persistence & Privilege
The skill does not request always: true and has no install behavior or claims to modify agent/system config. It does not request persistent elevated privileges.
What to consider before installing
Things to check before using this skill:
- The SKILL.md asks you to set SANO_TOKEN, but the skill metadata doesn't declare it. Treat that as a red flag: the manifest should list required secrets.
- The API base is an IP (47.102.196.1) served over HTTP. That means your token would be transmitted unencrypted; ask the publisher for an HTTPS endpoint and a domain name you can verify.
- The token request link is an external Feishu share URL. Verify the link and the publisher's identity (Probe/探针资本) out-of-band before entering a token.
- If you must test, use an ephemeral/restricted token and monitor outgoing network traffic. Do not reuse sensitive credentials.
- Consider asking the skill author to: (1) update the manifest to declare SANO_TOKEN, (2) publish an HTTPS hostname and official API docs, and (3) explain hosting and data handling (especially given medical data/regulatory concerns).
Given these issues, do not provide any production or high-privilege credentials until you have independent confirmation of the API's legitimacy and an HTTPS endpoint.Like a lobster shell, security has layers — review code before you run it.
latestvk975zxds86tfes37qm1py9r2bd83vv4w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.