Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
junior-high-math-research-plans
v1.0.0提供基于人教版2024新版初中数学教材的完整教学资源、教学计划、练习题制作和教学进度分析支持。
⭐ 0· 403·2 current·2 all-time
by@ymf508
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included code and resources: modules generate lesson/chapter/semester plans, search packaged resource index files, and provide templates. However package.json declares openclaw.permissions: ["read","write","exec"], and the MathResourceFinder contains a hard-coded basePath ('E:\\教学资料') — these are larger privileges or environment assumptions than strictly necessary for the packaged functionality.
Instruction Scope
SKILL.md usage examples and runtime instructions stay within the described educational scope (find resources, generate plans, create exercises, analyze progress). The instructions ask only for basic file read/write permissions which matches the code behavior. The SKILL.md does not instruct the agent to contact external endpoints or read unrelated system secrets.
Install Mechanism
This is an instruction+code skill with no external install spec and no network downloads; all files are included. There are no URLs, archives, or third-party installers fetched at install time — low install risk.
Credentials
No environment variables or credentials are required (none declared). That is appropriate. Minor disproportion: package.json requests 'exec' permission in addition to read/write; the code does not invoke child processes or exec external binaries, so 'exec' may be unnecessary and broad. Also the presence of a hard-coded Windows path in MathResourceFinder suggests an expectation of access to user-local teaching directories (though current code reads packaged resources from the skill folder).
Persistence & Privilege
Skill does not request 'always: true' and does not modify other skills or global agent settings. Scripts write files only within the skill folder (reports and CHANGELOG), which is normal for a packaged skill; no system-wide changes are made.
What to consider before installing
This package appears to implement the advertised teaching-plan and resource-search features and includes all resources and templates in the bundle. Before installing or enabling it for an agent, consider the following: 1) Inspect package.json's openclaw.permissions — it requests 'exec' though the code doesn't use child_process; prefer to remove that permission unless you trust the author. 2) The resource-search class contains a hard-coded basePath ('E:\\教学资料') and the resource index files reference E:\ paths — verify the skill will only read its packaged resources (resources/*.md) and will not be pointed at arbitrary local directories on your machine unless you intentionally configure it. 3) The release-prep script writes files into the skill directory (报告, CHANGELOG) — that's expected, but review what it writes and where. 4) There are no network calls or secret requirements, which reduces exfiltration risk; still, run the skill in a sandbox or with limited permissions first and review the code if you plan to install in a production environment. 5) Note the license: "教育用途免费,禁止商业用途" — ensure the license terms meet your needs.Like a lobster shell, security has layers — review code before you run it.
latestvk975xqtma3ha3mgxjpcv6009yd81v18t
License
MIT-0
Free to use, modify, and redistribute. No attribution required.