ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Foreshadowing Tracker

v2.0.0

伏笔追踪器 - 识别章节中的伏笔并追踪回收状态。当需要管理伏笔、确保前后呼应时使用,支持新增伏笔识别、待回收伏笔提醒、已回收伏笔标记。

0· 83·0 current·0 all-time
by@yuzhihui886
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The scripts and SKILL.md align with the stated purpose (identify and track foreshadowing in chapters). Having both a pattern-based script and an optional LLM-based script is plausible. However, the presence of an LLM caller introduces external network behavior that is not described in the SKILL.md's environment requirements.
!
Instruction Scope
SKILL.md documents CLI usage for the main script but does not mention the LLM helper's need to call an external API or require an API key. The LLM script will read local text files (expected) but also reads an environment variable and transmits the book text to a remote endpoint — behavior not disclosed in the runtime instructions.
Install Mechanism
There is no binary-level install spec (no downloads or archive extraction). Dependencies are standard Python packages listed in requirements.txt. This is a low-risk install footprint.
!
Credentials
SKILL.md lists no required environment variables, but scripts/track_foreshadowing_llm.py expects DASHSCOPE_API_KEY (and will exit if it is not set). Requiring a remote-service API key is proportionate only if users knowingly opt into remote LLM analysis; omission from the declared requirements is an inconsistency that could lead to unexpected data exfiltration (book text sent externally).
Persistence & Privilege
The skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide configs. It creates/reads per-project record files (as documented) which is appropriate for its function.
What to consider before installing
This skill's core, local pattern-based script matches the description and is low-risk. However, an included helper (scripts/track_foreshadowing_llm.py) will: (1) require the environment variable DASHSCOPE_API_KEY (the SKILL.md does not list this), and (2) POST the book text to https://coding.dashscope.aliyuncs.com/v1/chat/completions. Before installing or running: ensure you are comfortable sending your draft text to that external service or remove/disable the LLM script; verify the API host and model are ones you trust; set the API key in a separate, restricted environment variable if needed; review the LLM script source for any additional endpoints or secrets usage; run the tool in an isolated environment (or offline) if your manuscript must remain private. If you want only local processing, use scripts/track_foreshadowing.py and ignore or delete scripts/track_foreshadowing_llm.py. If you need a firmer safety verdict, provide the SKILL.md author/source or clarify whether remote LLM calls are intended.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dxwkpe7fvy2mpyc8cwj1q8s84t43k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments