ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jpbot-device-skill

v1.0.4

当用户查询九号电动(包含电动自行车和电动摩托车)的车辆信息(车辆开关机状态、车辆充电状态、车辆位置、车辆剩余电量、车辆剩余里程、车辆剩余充电时间)时使用。

0· 306·0 current·0 all-time
by微笑@zhangyang-1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhangyang-1/jpbot-device-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "jpbot-device-skill" (zhangyang-1/jpbot-device-skill) from ClawHub.
Skill page: https://clawhub.ai/zhangyang-1/jpbot-device-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install zhangyang-1/jpbot-device-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install jpbot-device-skill
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The registry description says it serves queries for '九号电动' vehicles, while the SKILL.md repeatedly references '金彭智能三轮车' (a different vendor). The skill claims the ability to read device state and configure parameters, but declares no credentials, no endpoints, and provides no commands or code to actually perform those integrations — this is inconsistent with its stated purpose.
Instruction Scope
SKILL.md is a high-level feature description and a single canned response ('skill is under testing'). It does not instruct the agent to read files, environment variables, or call external endpoints. There is no scope creep in the provided instructions themselves.
Install Mechanism
No install specification and no code files are present (instruction-only). This is low risk and consistent with the currently stubbed behavior.
!
Credentials
The skill requests no environment variables or credentials, yet its claimed functionality (reading device state, configuring parameters) would normally require API credentials, device tokens, or access to vendor services. The absence of any declared credentials or endpoints is disproportionate to the described capabilities.
Persistence & Privilege
The skill does not request always:true and has no install steps that would modify agent/system configuration. There is no evidence it attempts to persist or escalate privileges.
What to consider before installing
This skill is currently a stub: it only contains a description and a canned 'under testing' reply and does not actually implement any device queries. Note the vendor-name mismatch (registry says 九号电动, SKILL.md says 金彭) — ask the author which product this targets. If you expect live vehicle integration, require the author to provide: (1) the API endpoints and data flow, (2) which credentials or tokens are needed, and (3) a source repository or homepage to inspect code. Do not grant any device or cloud credentials until you verify the implementation and confirm exact scope; monitor future versions for requests to store or use tokens, which would raise the risk significantly.

Like a lobster shell, security has layers — review code before you run it.

latestvk973mbjkhefp8xf4n3j4k7bcpd82s5rv
306downloads
0stars
5versions
Updated 11h ago
v1.0.4
MIT-0
微笑@zhangyang-1
latest
Download

Skill 描述 当用户查询金彭智能三轮车的车辆信息(车辆详情、车辆上下电状态、车辆实时状态、车辆位置、车辆剩余电量、车辆骑行里程、车辆骑行轨迹)时使用。

适用场景 读取设备状态、电池信息、行驶数据 配置车辆参数(速度限制、灯语等) 排查常见故障 导出骑行统计数据 功能概览 功能 描述 设备连接 连接 金彭设备 状态查询 获取电池、里程、固件版本等信息 参数配置 修改速度限制、灯效等设置 故障诊断 分析错误码并提供解决方案 固定输出 该 skill 目前仅做提示,统一回复:

该skill正在测试中,敬请期待。

Comments

Loading comments...