by 安全扫描
OpenClaw
可疑
medium confidenceThe skill is small and largely coherent with its stated purpose, but it omits key details (where 'mcp' calls go and whether ALIYUN_RPA_RobotId is a secret) and the registry metadata does not declare the parameter the runtime instructions require.
评估建议
This skill is small and looks like it does what it says, but it leaves out important details. Before installing or using it: 1) Ask the author to clarify what 'mcp' calls (the exact API endpoint or service) and where network traffic goes. 2) Confirm whether ALIYUN_RPA_RobotId is merely a non-sensitive runtime identifier or an auth token; if it is sensitive, the skill metadata should declare it as a required credential. 3) Because the skill has no listed source or homepage, treat it as untrusted:...详细分析 ▾
ℹ 用途与能力
The name and description claim to return Alibaba Cloud-related search queries given an ALIYUN_RPA_RobotId. The SKILL.md also requests a robotId parameter and shows the expected output, so the high-level purpose is consistent. However, the skill does not explain how it obtains the data (no API endpoint, no service host, and no declared credentials), which is an omission.
✓ 指令范围
The instructions are narrowly scoped: they tell the agent to invoke an mcp tool with a robotId parameter and return a list. They do not instruct the agent to read arbitrary system files, environment variables, or send data to unrelated endpoints.
✓ 安装机制
Instruction-only skill with no install spec or code files. Nothing will be written to disk or installed by the skill itself.
⚠ 凭证需求
SKILL.md explicitly requires a robotId (referred to as ALIYUN_RPA_RobotId), but the registry metadata lists no required environment variables or primary credential. This mismatch is concerning: either the robotId is a runtime parameter (fine) or it is a secret/credential that should have been declared. The skill also comes from an unknown source with no homepage, which increases the risk when supplying any identifier that might act as auth.
✓ 持久化与权限
The skill does not request persistent presence (always is false), does not modify config paths, and has no install-time components. Autonomous invocation is allowed (platform default) but not combined here with any broad privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/16
- Initial release of get-ali-searches skill. - Retrieves related search terms for Aliyun (Alibaba Cloud). - Requires robotId parameter for use. - Returns a list of relevant Aliyun search keywords.
● 无害
安装命令
点击复制官方npx clawhub@latest install get-ali-searches
镜像加速npx clawhub@latest install get-ali-searches --registry https://cn.longxiaskill.com
技能文档
# 获取相关搜索 用途:获取阿里云相关搜索
调用
使用mcp调用此工具,需要提供以下参数: | 参数 | 默认 | 说明 | |--------|----|----------------| | robotId| 必填 | 使用ALIYUN_RPA_RobotId|输出结构
- 返回列表结构