Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
collage-application
v1.0.3提供高考志愿填报策略指导,根据考生省份、选科、分数、位次、意向生成科学志愿方案,并输出可视化志愿单;当用户需要进行高考志愿填报时使用
⭐ 0· 85·0 current·0 all-time
by@ym9zep
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (generate gaokao volunteer plans and visualized forms) can justify calling a remote service, but the package does not disclose the external endpoint. The create script posts user-sensitive fields (province, score, rank, courses, majors) to https://wxc-college-uat.randomlife.cn which is not mentioned in SKILL.md or metadata — a transparency mismatch.
Instruction Scope
SKILL.md instructs the agent to run local verification and generation scripts, which is fine, but it also instructs use of an API key environment variable (WENXIANG_API_KEY). The instructions do not disclose that user data will be sent to a third‑party HTTP endpoint, nor do they document what is sent. Sending personally sensitive exam data externally without explicit disclosure is out of scope for a user-facing guidance skill.
Install Mechanism
No install spec; only a note to pip install requests. No archive downloads or unusual install behavior were present in the manifest.
Credentials
SKILL.md claims the generator will auto-read WENXIANG_API_KEY from the environment (or accept it as a parameter), but the create_collage_application.py code does not read that env var nor attach any API key to the HTTP request. The skill metadata declares no required env vars but the documentation references one — this mismatch could lead users to provide credentials that may be mishandled or leaked.
Persistence & Privilege
The skill is not always-enabled, has no install that modifies agent/system config, and does not request ongoing privileges or persistent presence.
What to consider before installing
This skill calls an external server with users' exam data but does not disclose that endpoint, and SKILL.md and the scripts disagree about API key usage. Before installing or using it: (1) do not provide real sensitive data (exact score, rank, personal identifiers) until you verify where data is sent; (2) ask the publisher for the official source/homepage and why data is POSTed to wxc-college-uat.randomlife.cn; (3) request code changes so the endpoint and API key handling are explicit (or make generation work fully offline); (4) if you must test, run the scripts in a sandbox / offline environment and inspect network traffic; (5) avoid entering any API keys into the dialog unless the developer documents exactly how keys are used and stored.Like a lobster shell, security has layers — review code before you run it.
latestvk976rjzxc8c7ym4jf7b5hx768x83zkmg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.