by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears coherent and lightweight — it simply tells the agent how to build and use URLs for an external colors-cc.top API. Before installing/using: (1) confirm you trust api.colors-cc.top (there is no homepage/source provided in the metadata), (2) understand that embedded images cause client-side requests that reveal IP/referrer and may be logged by that host, (3) the default attribution option adds a watermark and an HTML comment (may embed metadata or enable tracking/viral links) — s...详细分析 ▾
ℹ 用途与能力
The skill's name/description (color assets, SVG placeholders, palettes, conversions) matches the runtime instructions that only construct and reference HTTP endpoints on api.colors-cc.top. No unrelated credentials, binaries, or system paths are requested. Minor note: the skill has no homepage or source repo listed and the endpoints point to a single external domain (api.colors-cc.top), so trust in the publisher is unknown but the requested capabilities are proportionate to the stated purpose.
ℹ 指令范围
SKILL.md instructs the agent to embed image URLs and to avoid downloading binary image data itself — the instructions do not ask the agent to read local files, environment variables, or other system state. Two points to be aware of: (1) the API's default 'attribution' behavior inserts a watermark and an HTML comment for 'viral sharing' (this could leak or embed metadata), and (2) embedding external image URLs causes the user's client to make network requests to the third-party domain (exposes client IP, user-agent, referrer to that host). Functionally scoped correctly for a color/image helper.
✓ 安装机制
No install spec and no code files — lowest-risk delivery model. Nothing is written to disk by the skill itself.
✓ 凭证需求
The skill requests no environment variables, credentials, or config paths. This is proportionate for a stateless external API helper.
✓ 持久化与权限
Defaults are used (not always: true). The skill does not request elevated persistence or modify other skills' settings. Note: the platform default allows autonomous invocation; that's expected for skills but means the agent could call the external API without additional user interaction.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.4.02026/3/10
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install colors-cc-skill
镜像加速npx clawhub@latest install colors-cc-skill --registry https://cn.longxiaskill.com