by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill implements a Hillstone Threat Intelligence client and needs a Hillstone API key (HILLSTONE_API_KEY or config.json). Before installing:
- Confirm the API endpoint (https://ti.hillstonenet.com.cn) and the publisher (maxjia) are legitimate for your use. If you don't recognize the endpoint/publisher, verify independently.
- Provide the API key via environment variable (HILLSTONE_API_KEY) rather than a file when possible; SKILL.md recommends this. If you use config.json, set file permissi...详细分析 ▾
ℹ 用途与能力
Name/description (Hillstone TI queries) align with the code and SKILL.md: the code implements IOC detection, query, caching, exports and logging against the Hillstone TI endpoints. However the registry metadata earlier listed 'required env vars: none' while SKILL.md/package.json and the code all expect an API key (HILLSTONE_API_KEY or config.json). That mismatch is a packaging/metadata inconsistency that should be resolved.
✓ 指令范围
Runtime instructions stay within the stated purpose: they instruct creating config.json or setting HILLSTONE_API_KEY, calling the Hillstone API endpoints, and exporting/logging results. The skill reads config.json, may write export files and a log at ~/.openclaw/logs/hs_ti.log, and may create export directories; these are expected for a client that writes reports and logs.
ℹ 安装机制
No install spec is present (instruction-only in registry), which is low risk; but the package includes Python code files (scripts/hs_ti_plugin.py, result_formatter.py, tests, examples). Because there is no formal install step, the skill will rely on those files being available in the agent runtime; this is normal but worth noting (there's code to execute even though there's no separate install/download stage). No external download URLs or unknown installers are used.
⚠ 凭证需求
The skill legitimately requires a Hillstone API key (SKILL.md, package.json env HILLSTONE_API_KEY, and config.json). However the registry metadata at the top says 'Required env vars: none' — an incoherence. The request for an API key is proportionate to the purpose, but the metadata omission is misleading. Also the skill writes logs and export files to the user's home directory (~/ .openclaw/logs and example exports), so you should ensure file-permission handling (SKILL.md suggests chmod 600 for config.json).
✓ 持久化与权限
The skill does not request always:true and does not request system-wide privileged persistence. It writes its own logs and export files under user home/.openclaw and example export directories, which is expected. It does not appear to modify other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.2.52026/3/20
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install hs-ti
镜像加速npx clawhub@latest install hs-ti --registry https://cn.longxiaskill.com