Skillv1.0.1

ClawScan security

MIMO 限时免费100T FREE TOKEN · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 5:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (a MiMo-based Xiaomi developer assistant) but contains inconsistencies and a prompt-injection signal you should review before installing.
Guidance: What to check before installing: - The package expects an API key (MIMO_API_KEY). The manifest does not declare required env vars — avoid supplying production or highly-privileged keys until you verify the service endpoints and trust the publisher. - Verify the domains (platform.xiaomimimo.com, api.xiaomimimo.com, 100t.xiaomimimo.com) independently (search the official Xiaomi developer site) to ensure they are legitimate and not phishing pages. - Inspect the included system prompt templates in src/knowledge/mimo-platform.md and SKILL.md. These are plausible for an assistant, but may try to influence model behavior; ensure they don't instruct the host to leak secrets or perform unrelated actions. - Run the code in a controlled environment (throwaway API key, isolated VM/container) first. Check network traffic (which endpoints are contacted) and confirm the only external requests are to the documented MiMo API base URLs. - If you plan to use real credentials, create a least-privilege/limited test key and monitor usage. If you cannot verify the publisher identity (owner ID looks unknown), treat the marketing about '100T free token' cautiously — the repo documents how to apply but does not automate claiming. Given the manifest/code mismatch around MIMO_API_KEY and the prompt-injection scanner signal, proceed only after confirming the API endpoints and cleaning up or understanding any system prompt templates. If you want, I can list the exact lines that reference MIMO_API_KEY and the system prompt strings for a targeted review.
Findings: [system-prompt-override] expected: The knowledge files include 'system' prompt templates (e.g., 'You are MiMo...'), which is consistent with an LLM assistant skill that needs to craft system messages. However, the pre-scan flagged this as a prompt-injection pattern in SKILL.md; review the templates to ensure they do not attempt to override platform-level system prompts or instruct the host agent to perform actions outside the skill's scope.

Review Dimensions

Purpose & Capability: okThe name/description (MiMo/MiJia developer assistant) aligns with the code, knowledge files, and required binary (node). The code calls a MiMo API endpoint and uses included MiMo-focused knowledge — these are coherent with the stated purpose. One minor note: the skill's marketing about a "100T FREE TOKEN" is promotional; the repository only documents how to apply and does not automate claiming tokens, which is plausible but worth noting.
Instruction Scope: concernSKILL.md and the code instruct running npm install and node src/index.js, and they include example use that asks you to set MIMO_API_KEY. The SKILL.md and knowledge files also contain explicit system-prompt text (a 'system' role template). A pre-scan detected a 'system-prompt-override' pattern in SKILL.md — while providing a system prompt template can be legitimate for an assistant, these templates can also be used to influence LLM behavior; the presence of such content should be reviewed. Instructions do not request arbitrary file reads or unrelated credentials, but the system-prompt content triggered the injection detector.
Install Mechanism: okNo remote install/download spec is provided (instruction-only/install-from-source). The repository includes local JS files and uses npm (standard). There are no URLs used to fetch and execute arbitrary archives. This is a relatively low install risk.
Credentials: concernThe code and SKILL.md require an API key (MIMO_API_KEY) and demonstrate use of process.env.MIMO_API_KEY, but the skill's declared metadata lists no required environment variables. That mismatch is problematic because the skill expects a secret but does not declare it in the manifest. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system configuration. It runs as a normal user-space node program and does not persist privileged changes by itself.