ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

simulated-upload-helper

v0.1.1

自动创建并上传一个简单测试 skill,展示本地 skill 的创建与上传全过程,支持无交互登录。

1· 38·0 current·0 all-time
by@zhoulincom

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zhoulincom/simulated-upload-helper.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "simulated-upload-helper" (zhoulincom/simulated-upload-helper) from ClawHub.
Skill page: https://clawhub.ai/zhoulincom/simulated-upload-helper
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install simulated-upload-helper

ClawHub CLI

Package manager switcher

npx clawhub@latest install simulated-upload-helper
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description claim to trigger an existing publish flow and the SKILL.md explicitly instructs running local publish scripts (./publish-skills.sh). It does not request unrelated credentials, binaries, or installs, so the requested capabilities match the stated purpose.
Instruction Scope
Instructions are narrowly scoped to deciding single vs batch publish and executing ./publish-skills.sh with a given root. They explicitly forbid creating new skill directories or modifying unrelated skill content. However, executing the publish script can perform network actions (push to a registry) and may run arbitrary logic in that script — review that script before allowing this skill to run.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself during install. That minimizes install-time risk.
Credentials
The SKILL.md references optional CLAWHUB_TOKEN and CLAWHUB_REGISTRY for non-interactive login. Those variables are proportionate to a publish/push workflow, but they are sensitive credentials and the skill metadata does not declare them required; ensure you understand their use and scope before providing them.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Still, the platform default allows autonomous invocation; given this skill runs publish scripts that can push changes externally, consider whether you want it to be able to run without explicit user confirmation.
Assessment
This skill simply runs your repository's publish script — it does not itself contain code — so the main risks come from that script and any CLAWHUB_* token you supply. Before installing or enabling: (1) inspect ./publish-skills.sh and any scripts it calls so you know what will run and what network actions will occur; (2) avoid storing long‑lived or overly-permissive CLAWHUB_TOKEN values; prefer ephemeral or least-privilege tokens and confirm CLAWHUB_REGISTRY points to the expected host; (3) if you don't want automatic publishes, require interactive confirmation or disallow autonomous invocation for this skill; (4) consider running the publish script manually in a safe test repo first (dry-run) to verify behavior. If you cannot review the publish script, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk975cdt97mbcwv8d6yxn6ajxcs85mdc4
38downloads
1stars
2versions
Updated 20h ago
v0.1.1
MIT-0
@zhoulincom
latest
Download

name: simulated-upload-helper description: 当用户说“模拟上传”时,直接触发已有 skill 的发布流程,不创建新 skill。 version: 0.1.1

Simulated Upload Helper

用途

这个 skill 用于快速触发本地 skills 的上传/发布流程,只调用发布脚本,不创建任何新 skill。

触发词

  • 模拟上传
  • 上传 skill
  • 发布 skills
  • 一键发布

执行步骤

  1. 判断用户是否指定了 skill 名:
    • 指定 skill 名:执行单个发布。
    • 未指定 skill 名:执行按变更批量发布。
  2. 调用仓库中的发布脚本:
    • 批量模式:./publish-skills.sh --root ".cursor/skills"
    • 单个模式:./publish-skills.sh --root ".cursor/skills" --skill "<skill目录名>"
  3. 输出发布结果;若失败,返回错误信息并给出排查建议。

约束

  • 严禁创建新的 skill 目录或 SKILL.md 文件。
  • 严禁修改用户未要求变更的 skill 内容。
  • 所有路径带空格时必须使用双引号。
  • 上传前确认环境变量:
    • CLAWHUB_TOKEN(可选,供无交互登录)
    • CLAWHUB_REGISTRY(可选,覆盖默认 registry)
  • 若未设置 CLAWHUB_TOKEN,需提前执行 clawhub login

示例

用户输入:模拟上传

期望行为:

  1. 直接执行发布命令(单个或批量)。
  2. 不创建任何测试 skill。
  3. 返回成功或失败原因。

Comments

Loading comments...