ai-intelligent-helpdesk Security Report — Suspicious | ClawSafe

40 /100

ai-intelligent-helpdesk

Enterprise IT Helpdesk — ticket management + smart dispatching

Skill provides only documentation with no actual implementation code; installation instructions reference a non-existent remote repository and nonexistent local files (requirements.txt, app.py), constituting doc-to-code mismatch and potential social engineering.

Skill Nameai-intelligent-helpdesk

Duration31.7s

Enginepi

⚠

Use with caution

Do not use this skill. The package contains no executable code despite claiming to be a FastAPI application. The git clone instruction points to an unverified external repository and may be a social engineering vector. Request the vendor provide the actual source code for security review.

Attack Chain 3 steps

⬡

Escalation Skill is distributed as documentation-only package with no code

SKILL.md:1

⬡

Escalation Installation instructions redirect user to clone unverified external repository

SKILL.md:31

◉

Impact User blindly executes pip install and python app.py from an untrusted third-party repository, gaining full shell access to the environment

SKILL.md:30

Findings 3 items

Severity	Finding	Location
Medium	No implementation code present Doc Mismatch The package declares a FastAPI-based enterprise helpdesk system but contains only documentation files (SKILL.md, skill.json). No Python source files, no requirements.txt, no app.py — the entire implementation is absent. This makes independent security verification impossible. `pip install -r requirements.txt python app.py` → Request actual source code before any security assessment. Refuse to install from the remote repository without code review.	`SKILL.md:30`
Medium	Installation points to unverified external repository Doc Mismatch The install instructions direct users to `git clone https://github.com/openclaw-skills/ai-intelligent-helpdesk` — a third-party repository that has not been security reviewed. The user is expected to download and execute code from this external source blindly. `git clone https://github.com/openclaw-skills/ai-intelligent-helpdesk` → Do not clone or execute code from this repository. Insist on a complete, self-contained package with all source code included in the skill bundle.	`SKILL.md:31`
Low	Package metadata mismatch Doc Mismatch skill.json has 'author': 'yang1002378395-cmyk' (likely an auto-generated identifier) and 'description': 'AI intelligent ai-intelligent-helpdesk' which is a near-duplicate tautology, suggesting non-professional packaging. Combined with the missing code, this weakens trust in the skill's provenance. `"author": "yang1002378395-cmyk", "description": "AI intelligent ai-intelligent-helpdesk"` → Verify the identity and reputation of the skill author before use.	`skill.json:3`

File Tree

2 files · 1.2 KB · 58 lines

Markdown 1f · 51L JSON 1f · 7L

├─ 📋 skill.json JSON 7L · 203 B

└─ 📝 SKILL.md Markdown 51L · 985 B

Security Positives

✓ No malicious code found — no code exists in this package at all

✓ No sensitive file access observed (no filesystem code present)

✓ No network exfiltration code present (no scripts to analyze)

✓ No credential harvesting logic (no executable code)

✓ No obfuscated payloads (base64, eval, or shell commands)

✓ No supply chain risk via dependencies (no dependency files)

Scan Report

Attack Chain 3 steps

Findings 3 items

File Tree

Security Positives