📦 5gc5GC
v0.0.0Web仪表自动化技能,支持AMF/UDM/AUSF/SMF/PGW-C/UPF/PGW-U/GNB/UE/PCF/NRF/QoS/TC/PCC/smpolicy的批量添加与编辑及PCF默认规则一键配置
0· 19·0 当前·0 累计
by @liuwei120下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidence该技能的代码与其所述目的(Playwright 自动化 5GC Web 仪表板)相符,但包内包含硬编码的登录/会话凭据及其他过度便利的内容,存在风险——务必先检查并清理后再使用。
评估建议
This skill does what it says (browser automation of a 5GC web UI) but the package bundles active login/session credentials and a storageState JSON that contains cookies and an auth token for the target dashboard. Those embedded secrets are the main red flag: they can be reused to access or modify the dashboard and could leak if the skill is shared. Before installing or running: 1) Inspect and remove the .sessions/ storageState file and any hard-coded credentials in the scripts; 2) Replace them w...详细分析 ▾
ℹ 用途与能力
The name/description (5GC web dashboard automation) aligns with the provided scripts: many Playwright-based add/edit scripts and a CLI wrapper implement the claimed features. However, the bundle embeds a default target URL and login credentials/session storage for the dashboard (https://192.168.3.89, dotouch@dotouch.com.cn/dotouch and a storageState JSON). Including active credentials/session tokens in the shipped package is not necessary for the stated functionality and is disproportionate.
⚠ 指令范围
SKILL.md and scripts instruct the agent to run local Node.js/Playwright scripts against a web dashboard, reuse a .sessions/ storageState file, and perform bulk edits that can change network elements. The runtime instructions explicitly reuse and persist login/session state (.sessions/ directory) and include hard-coded credentials; this increases the risk of unintended access or credential leakage. Instructions otherwise stick to the dashboard domain and local test artifacts and do not appear to request unrelated system data, but the session reuse behavior broadens scope.
ℹ 安装机制
There is no remote install/download; the skill is instruction + many local JS scripts. It requires Node.js and Playwright (documented), which is expected for browser automation. No external arbitrary download URLs or archive extraction were used in the install step, lowering install risk.
⚠ 凭证需求
The skill declares no required environment variables, but the code includes embedded credentials (email/password) and a storageState JSON with cookies/localStorage auth tokens for the dashboard. Shipping active credentials/session tokens inside the skill bundle is disproportionate and dangerous: anyone with the skill can reuse those tokens to access the target dashboard or exfiltrate data. The scripts also accept an arbitrary --url so they could be pointed at other hosts, which is functionally necessary but increases abuse potential if credentials/session are reused.
ℹ 持久化与权限
always is false and model invocation is normal. The skill persists its own session files under its .sessions/ folder and writes test_results locally. It does not appear to modify other skills or global agent settings. Persisting session state inside the skill directory is expected for convenience but is a persistence risk because those files contain sensitive tokens.
⚠ scripts/5gc_test_all.js:83
Shell command execution detected (child_process).
⚠ scripts/5gc.js:179
Shell command execution detected (child_process).
⚠ scripts/5gc_session_192_168_3_89.json:37
Install source points to URL shortener or raw IP.
⚠ scripts/smf-pgwc-add-skill.js:33
File read combined with network send (possible exfiltration).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.0.02026/4/21
从工作区同步 skills/5gc
● 可疑
安装命令
点击复制官方npx clawhub@latest install 5gc
镜像加速npx clawhub@latest install 5gc --registry https://cn.longxiaskill.com