Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description describe a Huoban (伙伴云) low‑code assistant; the SKILL.md content provides matching guidance on table design, automations, dashboards, and the Huoban API. There is no capability requested that falls outside that scope.
Instruction Scope
The instructions are targeted to Huoban usage: field/ view/automation design, chart/dashboard guidance, API client examples, and webhook handlers. The document does not instruct the agent to read arbitrary local files, harvest system credentials, or exfiltrate data to unexpected endpoints. Examples show sending webhooks to third‑party endpoints only in the expected integration context.
Install Mechanism
This is an instruction‑only skill with no install spec and no code files to be written or executed on the host, which minimizes install risk.
Credentials
The SKILL.md includes API usage that requires an API token (api_token / Bearer token) but the skill metadata declares no required environment variables or primary credential. This is an inconsistency: in practice the skill (or a user following it) will need a Huoban API token. Confirm how and where the token would be provided and stored before enabling the skill.
Persistence & Privilege
always is false (default), no install, and the skill does not request system or cross‑skill configuration changes. It does not demand elevated persistence or privileges.
Assessment
This skill appears to be what it says—a Huoban (伙伴云) low‑code assistant—so it's not obviously malicious. However, the documentation shows use of a Huoban API token even though the metadata doesn't declare any required credential. Before installing or using the skill: 1) ask the publisher how the Huoban API token should be provided (agent prompt, skill settings, or environment variable) and where it will be stored; 2) if you supply a token, restrict that token's permissions and use a dedicated/test Huoban account where possible; 3) rotate the token after use and avoid reusing high‑privilege credentials; 4) review any webhook URLs you configure (don't point them to untrusted public endpoints); and 5) if you need stronger assurance, request the publisher add an explicit primary credential field (e.g., HUOBAN_API_TOKEN) in the skill metadata or provide a minimal reproducible example showing how credentials are handled. If the publisher cannot clarify, treat the omission as a policy/quality issue and consider marking the skill untrusted until fixed.Like a lobster shell, security has layers — review code before you run it.
latestvk97et1hmy7y7e6k6gta2yknrkd830q95
License
MIT-0
Free to use, modify, and redistribute. No attribution required.