Back to skill
Skillv1.0.0
ClawScan security
China Vehicle Accessories Sourcing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 3:35 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested resources are consistent with a read-only China vehicle accessories sourcing guide — it does not request credentials, install external code, or perform network or filesystem access beyond loading its bundled data.
- Guidance
- This skill appears coherent and self-contained. Before installing: 1) Review data.json if you need source verification or worry about incorrect/outdated claims (the skill bundles static industry data and supplier examples). 2) Note it explicitly says it contains cluster-level information only — it does not include factory contact details or live supplier endpoints. 3) If you plan to act on sourcing recommendations, independently verify supplier credentials, certifications, and export/import compliance. If you require dynamic or transactional features (contacting suppliers, placing orders), expect to need additional integrations that would request network access and credentials.
Review Dimensions
- Purpose & Capability
- okThe name and description (industry sourcing guide) match the included assets: an explanatory SKILL.md, a static data.json, and a small Python API (do.py) that exposes read-only accessors. There are no unrelated credentials, binaries, or config paths required.
- Instruction Scope
- okSKILL.md describes using the skill to query industry, supply chain, clusters, and sourcing guidance. The instructions do not direct the agent to read other system files, environment variables, or send data to external endpoints. do.py only reads the bundled data.json and provides lookup/search functions.
- Install Mechanism
- okThere is no install spec; this is an instruction-plus-bundled-data skill. No external downloads, package installs, or archive extraction are specified. The code runs against local files only.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths and the implementation does not access them. No disproportionate secret or credential access is requested.
- Persistence & Privilege
- okalways is false and the skill does not modify agent/system configuration. The skill can be invoked autonomously by the agent (platform default), which is expected for a user-invocable informational skill.