by 安全扫描
OpenClaw
可疑
high confidenceThe package metadata and description claim a CRM extractor, but the included SKILL.md and code implement a simulated "space-login" demo — the purpose, docs, and files do not match and some metadata (version) and env-var mentions are inconsistent.
评估建议
Don't install this expecting a CRM extractor — the package contents implement a simulated "space-login" demo and do not perform CRM login or data extraction. The mismatch could be benign (wrong package metadata) or deliberate mislabeling. Before installing or running: (1) verify the publisher and source (no homepage provided); (2) ask the publisher for the correct CRM extractor artifact or an explanation for the mismatch; (3) inspect the code yourself or run it in an isolated sandbox; (4) never ...详细分析 ▾
⚠ 用途与能力
Metadata/description: 'Qinglong Crm Extractor' (automates CRM login/extraction). Actual files and SKILL.md implement a simulated 'space-login' demo (SpaceLogin class, moon/mars/ISS simulation). This is a clear mismatch — a CRM extractor should contain CRM integration code, HTTP requests, or API credentials, none of which are present. Also the registry version (1.0.3) disagrees with SKILL.md and README (1.0.0).
ℹ 指令范围
SKILL.md contains only local usage instructions (install pip deps, copy config.json, run Python). It does not instruct the agent to read unrelated system files or exfiltrate data. However SKILL.md mentions environment variables (SPACE_API_KEY, SPACE_CENTER) that are not declared in the skill metadata, which is an inconsistency to be aware of.
✓ 安装机制
No install spec (instruction-only plus included Python files). No network downloads, no package installs specified other than pip -r requirements.txt (requirements.txt is empty). This is low-risk from an installer perspective.
ℹ 凭证需求
Metadata declares no required env vars or credentials. SKILL.md nevertheless references SPACE_API_KEY and SPACE_CENTER — these are not required by the manifest and no justification is provided. The included code does not read environment variables or secrets, so the env mentions appear cosmetic/inconsistent.
✓ 持久化与权限
Skill is not always-enabled (always: false) and does not request special system config or persistent privileges. Autonomous model invocation is allowed by default but is not combined with other high-risk factors here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/2/21
- Major rebranding: Skill renamed from QingLong CRM 数据提取工具 to 太空登录 (space-login), with all documentation updated. - Core functionality changed from CRM data extraction to an imaginative space login and management system. - Added new files for example configuration, login demonstration, dependency management, and the main script (config.example.json, login_example.py, requirements.txt, space_login.py). - Removed previous CRM extractor scripts and project files (main.py, pyproject.toml, qinglong_crm_extractor.py). - Comprehensive new documentation with setup instructions, usage examples, API reference, feature list, supported destinations, and FAQ.
● 无害
安装命令 点击复制
官方npx clawhub@latest install qinglong-crm-extractor
镜像加速npx clawhub@latest install qinglong-crm-extractor --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制