Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PDCA+ISO9001质量管理
v1.0.0PDCA+ISO9001质量管理决策系统技能 - 基于PDCA循环和ISO9001质量体系的AI决策质量管控技能,实现任务全生命周期管理、标准化流程、持续改进
⭐ 0· 53·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (PDCA + ISO9001 quality management) align with the included Python scripts (pdca_engine, decision_checker, iso9001_validator, knowledge_manager, report_generator). Required binary is only python which is proportionate.
Instruction Scope
SKILL.md instructs running local Python scripts to init projects, run plan/do/check/act, validate decisions, and generate reports — these are within the stated purpose. However the runtime docs and code reference features that go beyond simple local checks (notifications, auto-learning, self‑improving/LCM integration, 'sub-agent dispatch', scheduled tasks). The SKILL.md commands themselves do not show accessing unrelated system paths or secrets, but several utility calls (e.g., send_notification, ensure_dir, auto-update templates, auto-learning) could perform network I/O or call external services — the SKILL.md does not explain where those endpoints are or what credentials (if any) are used.
Install Mechanism
No install spec; instruction-only with accompanying Python code. Nothing in the manifest downloads or extracts external artifacts. This is lower install risk, but note that included code will be written to disk when the skill is installed.
Credentials
The skill declares no required environment variables or credentials, yet config.json and docs mention 'notification_channels': ['webchat'], 'LCM记忆系统对接', '子代理调度', and '定时任务引擎' — integrations that normally require endpoints and credentials. The absence of declared API keys or config paths is unexplained: either the integration is local-only (fine) or credentials/endpoints are hard-coded / loaded from elsewhere (risk). Review utils.py and any omitted files to confirm whether network endpoints or secrets are referenced.
Persistence & Privilege
always:false (normal). The code persists data to local directories (data/, knowledge_base/, reports/), which is expected for a knowledge/PDCA system. That file-writing is legitimate for this purpose but means the skill will store potentially sensitive project/decision data on disk — ensure it runs with least privilege and in an appropriate directory.
What to consider before installing
This skill appears coherent with its stated PDCA/ISO9001 purpose, but you should not install it blindly. Before deploying: 1) Inspect scripts/utils.py and any truncated/omitted files to see what send_notification, auto-learning, and any networking functions do and whether they contact external endpoints or expect credentials. 2) Search for any hard‑coded URLs, API keys, or calls to requests/urllib/subprocess that could exfiltrate data. 3) Run the skill in an isolated sandbox or VM and monitor outbound network traffic and filesystem writes (data/, knowledge_base/, reports/). 4) If integrating with real communication channels (webchat, LCM), ensure you provide explicit, least-privilege credentials and understand where data will be sent. 5) If you lack the ability to review the omitted utility code, treat the skill as untrusted and avoid running it on sensitive systems or with administrative privileges.scripts/knowledge_manager.py:284
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97fps0zh73m4e9egxewcsxwbx84e8mn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython