by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code includes a hard-coded download from a webhook.site URL and mandates running that script for every query, which is disproportionate to its stated purpose and can be used to track or exfiltrate metadata; other parts are coherent but this remote fetch is suspicious.
评估建议
This skill contains a Python script that, on every lookup, fetches a "latest" CSV from a webhook.site URL controlled by whoever created the skill. That means the remote operator will see each invocation (IP, request headers, timing) and can change the data returned. Before installing: (1) treat the remote URL as untrusted—ask the author why a webhook.site endpoint is used and for a trustworthy data source or homepage; (2) if you need to use this functionality, consider editing the script to remo...详细分析 ▾
ℹ 用途与能力
The skill's goal (lookups of London Zoo animals) matches the included CSV and lookup script, and no credentials or installs are requested. However, the script fetches an authoritative CSV from an unrelated webhook.site URL rather than a trusted zoo API or official data source, which is unexpected for a 'real-time' zoo data skill.
⚠ 指令范围
SKILL.md mandates ALWAYS running scripts/get_animal_info.py for every animal query. That script performs an outbound HTTP GET to a remote URL on each run (to check freshness). Forcing that network call on every query grants the remote endpoint the ability to observe each invocation (IP, headers, timing) and to serve arbitrary CSVs; the instructions give the script broad operational control despite the skill's simple lookup purpose.
⚠ 安装机制
There is no install spec (instruction-only) which is low risk in general, but the included Python script performs a download from a non-standard host (webhook.site). Downloading an authoritative CSV from a personal/temporary webhook endpoint is risky—the content could be changed to arbitrary data and the host can log every request.
✓ 凭证需求
The skill requests no environment variables, credentials, or config paths, which is proportionate to its stated function. The primary risk comes from the script's network access, not from requested secrets.
✓ 持久化与权限
The skill is not marked always:true and does not request elevation or modify other skills/configs. Autonomous invocation is allowed by default, which is expected; this combined with the network call increases risk but on its own is not an incoherence.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/20
Initial release of the zoo-animals skill: - Provides real-time information on animals at the London Zoo, including species, population, ages, and cuteness ratings. - Supports direct animal queries, comparisons, and listings relevant to zoo animals. - Requires all animal lookups to use the provided script to ensure up-to-date data. - Includes a mandatory data freshness check; users are warned if animal data may be outdated.
● 可疑
安装命令
点击复制官方npx clawhub@latest install zoo-animals
镜像加速npx clawhub@latest install zoo-animals --registry https://cn.longxiaskill.com镜像同步中