ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

local-api-chart-generator

v1.0.3

专为调用本地数据接口并生成图表展示定制的 Skill。接收自然语言指令(如“我要最近一年燃油类型为天然气的扭矩占比”),自动提取参数,请求本地接口,生成 HTML 柱状图并返回完整的 HTML 源码。

0· 110·0 current·0 all-time
by@z904832819

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for z904832819/local-api-chart-generator.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "local-api-chart-generator" (z904832819/local-api-chart-generator) from ClawHub.
Skill page: https://clawhub.ai/z904832819/local-api-chart-generator
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install local-api-chart-generator

ClawHub CLI

Package manager switcher

npx clawhub@latest install local-api-chart-generator
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the stated purpose (fetch local API data and generate an HTML ECharts bar chart). However the SKILL.md instructs executing a python file at a hardcoded absolute path (/Users/laixufei/...), while the skill bundle actually contains build_chart.py — this path mismatch is inconsistent and suggests sloppy packaging or an expectation that the runtime has a specific user environment.
!
Instruction Scope
The SKILL.md forces running the Python script and returning the raw HTML between exact markers with no extra text. The script makes HTTP POST requests to localhost (127.0.0.1:9080) and will include whatever local data the API returns directly in the HTML reply; the strict 'return raw HTML' rule increases the risk of unintentionally exfiltrating sensitive local data to callers. The SKILL.md does not warn about the included static authorization token or side effects of the API calls.
Install Mechanism
Instruction-only skill with included code file; there is no install spec or external download. No third-party install mechanism or remote executable fetch was found.
!
Credentials
The skill declares no required environment variables, yet the Python code embeds a static Bearer token in Authorization headers and forces session.trust_env = False. Embedding a credential in code is disproportionate and unexpected; ignoring environment proxy settings further forces direct localhost access. These are security and maintainability concerns.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always:false, no config paths, no modifications to other skills). Autonomous invocation is allowed (default) but that alone is not flagged.
What to consider before installing
Before installing or enabling this skill: - Understand it will execute a Python script that posts to http://127.0.0.1:9080 and returns whatever data the local API provides embedded in HTML. That can leak sensitive local data to whoever calls the skill. - The SKILL.md points at a hardcoded user path (/Users/laixufei/...) which likely won't exist; confirm how the agent will execute the included build_chart.py (adjust SKILL.md to a relative path if needed). - The code contains a hardcoded Bearer token. Treat that as a secret: ask the author to remove it and use a declared environment variable instead, or rotate the token and restrict its scope/permissions. Hardcoded credentials are a red flag. - The script sets requests.Session.trust_env = False, which avoids proxy interception — combined with the static token this looks intentional; verify the intended local API and trust boundaries. - Test the skill in a controlled environment (isolated VM/container) and review the exact data returned by the local API before enabling it for sensitive data or granting broad agent access. - If you cannot verify the origin or purpose of the embedded token and the author, treat the skill as untrusted and avoid running it against production/local services.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9224zsx8aevd1sx9f2hrwd8599f9
110downloads
0stars
3versions
Updated 1w ago
v1.0.3
MIT-0
@z904832819
latest
Download

本地接口数据图表生成器 (Local API Chart Generator)

重要:这是一个专为 API 调用设计的技能,必须严格遵守以下执行流程。

🔄 强制执行流程 (Strict Workflow)

第一步:提取参数

从用户指令中提取:

  • 燃油类型(必传):如 柴油,天然气
  • 时间范围(必传):转换为 ['开始日期', '结束日期'] 格式
  • 马力(选传):如 90
  • 排放(选传):如 国六
  • 排量(选传):如 7

第二步:执行 Python 脚本

执行命令:

python3 /Users/laixufei/PycharmProjects/skills/local-api-chart-generator/build_chart.py --fueltype1 "燃油类型" --time '["开始日期", "结束日期"]'

如需带选传参数,可使用:

python3 /Users/laixufei/PycharmProjects/skills/local-api-chart-generator/build_chart.py --fueltype1 "燃油类型" --time '["开始日期", "结束日期"]' --horsepower "马力" --emission "排放" --displacement "排量"

第三步:提取并原样返回 HTML(关键!)

严格约束:

  1. 从 Python 输出中提取 ---HTML_CODE_START------HTML_CODE_END--- 之间的内容。
  2. 直接将这段 HTML 源码原封不动地放在回复的最前面,不要添加任何额外的解释文字。
  3. 禁止使用 [embed]MEDIA: 或任何其他 OpenClaw 内部渲染语法。
  4. 禁止对数据进行额外分析或总结,只需返回 HTML 源码即可。

⚠️ API 调用模式

当通过 /v1/chat/completions API 调用时,回复格式必须为:

<!DOCTYPE html>
<html lang="zh-CN">
...完整 HTML 源码...
</html>

这样调用方可以直接从 choices[0].message.content 中获取 HTML 并在前端渲染。

Comments

Loading comments...