📦 ocean right marine — 航距计算
v1.0.0基于 NavOptima API 的 ORM 气象导航工具,可秒查全球任意两港间航行距离(海里),支持航线优化与成本预估。
1· 69·0 当前·0 累计
by 下载技能包
最后更新
2026/4/2
安全扫描
OpenClaw
可疑
high confidenceThe skill’s stated purpose (query NavOptima for voyage distances) is plausible, but the runtime instructions embed a hardcoded account/password and require automatic screenshot capture and unconditional sending to chat — behaviors that are disproportionate and risk data/credential exposure.
评估建议
Do not install blindly. Specific things to consider before installing:
- The SKILL.md contains a plaintext NavOptima email and password — ask who owns that account and whether you are authorized to use it. Never rely on hardcoded shared credentials; prefer per-user credentials or API keys injected via environment variables. If that account is legitimate, rotate the password and avoid embedding secrets in skill text.
- The skill forces full-page screenshots and instructs sending them to chat '...详细分析 ▾
⚠ 用途与能力
The skill claims to query NavOptima for voyage distances, which fits the described functionality. However, instead of requesting a proper, declared credential (API key or environment variable), the SKILL.md embeds a specific NavOptima email and plaintext password in the instructions. Hardcoding service credentials in an instruction-only skill is disproportionate and not an appropriate way to authenticate a third‑party service.
⚠ 指令范围
The SKILL.md directs the agent to log into a web UI, control a browser, take a full-page screenshot, and then forcibly send that screenshot to a chat channel 'regardless of user window'. That mandates collection and transmission of potentially sensitive visual data without explicit per-query user consent. It also prescribes appending fixed contact/signature info to every result. Those steps extend beyond a simple distance lookup and create clear data-exfiltration and privacy risks.
✓ 安装机制
Instruction-only skill with no install spec and no code files — low disk/write risk. No third-party packages or downloads are requested.
⚠ 凭证需求
The skill declares no required environment variables or credentials, yet instructs use of a specific NavOptima account (email and plaintext password). This mismatch is a red flag: credentials are present but not managed through declared env vars, and there is no justification for sharing a shared/static password inside the skill text.
ℹ 持久化与权限
The skill does not request always:true and does not modify other skills or agent system settings. However, its mandatory 'capture and send' behavior effectively gives it a recurring data-exfiltration action each invocation; if the agent invokes the skill autonomously, that increases risk. Autonomous invocation itself is normal, but combined with forced screenshot-sending it widens the blast radius.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/1
Initial release of ORM Weather Routing Nav Voyage Distance Finder. - Supports querying voyage distance (nautical miles) between global ports using the NavOptima platform. - Provides detailed instructions for login, multi-port route planning, and precise position (latitude/longitude) input. - Outputs standardized distance report and automatically sends voyage map screenshots with result. - Mandatory inclusion of contact info (Andy, ORM Weather Routing) in all outputs. - Emphasizes data accuracy (<1% error) and safe internal use—strict account/password access control.
● 可疑
安装命令
点击复制官方npx clawhub@latest install orm-weather-routing-nav-voyage-distance-finder
镜像加速npx clawhub@latest install orm-weather-routing-nav-voyage-distance-finder --registry https://cn.longxiaskill.com