Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Drpy Source Creator
v1.0.0drpy视频源创建与调试技能。当用户需要创建、修改、调试drpy视频源(用于TVBox、海阔视界、ZYPlayer等播放器)时使用此技能。包括drpy源属性配置、模板继承、正则表达式编写、本地代理设置、不同类型源(影视/听书/漫画/小说)支持。
⭐ 0· 114·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (drpy source creation & debugging) aligns with included files: templates, examples, documentation, a Python site-analyzer, and Node scripts for validation/minification. Nothing in the manifest asks for unrelated cloud credentials or system access.
Instruction Scope
SKILL.md and example code instruct the agent to fetch website HTML, run parsing/selector tests, and run local validation/minify scripts — all directly relevant to building drpy sources. Note: analyze_site.py will make outbound HTTP requests to target sites (expected). Also the skill uses $js.toString / code-as-string fields and runtime-evaluated JS templates (intended for drpy) — these will execute in the drpy runtime/environment when loaded, which is expected for this use case but means arbitrary JS from a source could run in that runtime.
Install Mechanism
No install spec; this is instruction-plus-code only. Scripts are local (Python and Node). The minify script shells out to a locally installed uglifyjs (execSync) if present — expected for a minifier, not a remote code download. No downloads from unknown URLs or archive extraction found.
Credentials
The skill declares no required env vars, no credentials, and no config paths. The code and docs do not attempt to read unrelated system secrets. Network access to target websites is required for analysis (appropriate for purpose).
Persistence & Privilege
Flags show normal privileges (always:false, agent-invocable allowed). The skill does not request permanent/system-wide presence or modify other skills. It operates on local files and remote websites as expected for a source-creation tool.
Assessment
This skill appears coherent and implements exactly what it claims: templates, examples, docs, a site analyzer, and local validation/minification tools. Before installing: (1) be aware the Python/Node scripts will perform outbound HTTP requests to any site you analyze (this is intended), (2) the minify script runs the local uglifyjs binary via execSync — ensure you trust your environment and have uglify-js from a trusted source if you run it, (3) template code includes strings that will be evaluated in the drpy runtime (so loaded/used rules can execute JS in that environment), and (4) the package metadata has no homepage or known source owner — if provenance matters, review the code files yourself or run them in an isolated environment before use.scripts/minify_drpy.js:36
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97arrt0bfb6nqt7st6wkxpyyx836tkr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.