by 安全扫描
OpenClaw
可疑
high confidenceThe SKILL.md instructs the agent to run a local Python script and export an AB_API_KEY, but the published skill contains no code files and declares no required environment variables—this mismatch is incoherent and requires clarification before use.
评估建议
Do not provide secrets or run the skill yet. The package contains only a SKILL.md that instructs running 'scripts/ab_test_analyzer.py' and exporting AB_API_KEY, but there is no script or declared env var in the published bundle. Ask the publisher for the actual code or a link to a repository, and for details about what AB_API_KEY is (which service it belongs to and why it is needed). If you must test, inspect the script source first and avoid using real/privileged API keys—use a throwaway key or...详细分析 ▾
⚠ 用途与能力
The skill claims to 'Analyze A/B test results' and shows a usage line that runs python3 scripts/ab_test_analyzer.py, implying shipped code. However, the package contains no code files and the registry metadata lists no required env vars or credentials. Asking to run a local script is inconsistent with an instruction-only skill that provides no script.
⚠ 指令范围
SKILL.md directs execution of a specific local script path and tells the user to set AB_API_KEY, but does not explain what the API key is for or where the script comes from. The instructions therefore tell the agent to access a file and an environment secret that are not present or declared, which expands scope beyond what's packaged.
✓ 安装机制
There is no install spec (instruction-only), which is the lowest install risk. That said, because the instructions expect a local Python script, the agent could attempt to execute arbitrary Python if such a file exists in the environment—this is a consequence of the missing code rather than an installer issue.
⚠ 凭证需求
The SKILL.md asks users to set AB_API_KEY but the skill metadata lists no required environment variables or primary credential. The purpose doesn't justify an undeclared secret; it's unclear what service the key would grant access to and why an API key is necessary for a simple analyzer.
✓ 持久化与权限
The skill does not request persistent or elevated privileges (always is false, no config paths, no install). Autonomous invocation is allowed by default, which is normal and not by itself a concern here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install jpeng-ab-test-analyzer
镜像加速npx clawhub@latest install jpeng-ab-test-analyzer --registry https://cn.longxiaskill.com