Back to skill
Skillv1.0.0
ClawScan security
gold-price-checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 6:30 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (querying domestic and international gold prices and basic trend analysis) matches its instructions and resource needs; it is an instruction-only web-scraping helper that does not request extra credentials or install code.
- Guidance
- This skill is coherent and low-friction, but before installing: 1) confirm your agent runtime's extract_content_from_websites and batch_web_search tools are trusted and obey your network/privacy policies (they will make outbound requests). 2) Verify jinjia.com.cn is a reliable data source for your needs. 3) Be aware scraped price data may be cached or logged by the agent—ensure you’re comfortable with how extracted data is stored/retained. 4) Don’t treat outputs as investment advice; the skill already warns to use caution. If you require stricter controls, restrict the skill’s network access or review the runtime tool implementations first.
Review Dimensions
- Purpose & Capability
- okName and description (gold price queries, bank/store prices, trend analysis) align with runtime instructions which call extract_content_from_websites against jinjia.com.cn and perform web searches for trend commentary. The requested actions are appropriate for the stated purpose.
- Instruction Scope
- okSKILL.md limits runtime behavior to extracting price data from jinjia.com.cn and optional web searches for trend analysis (batch_web_search). It does not instruct reading local files, accessing unrelated environment variables, or transmitting data to unexpected endpoints. Note: the extract_content_from_websites tool will make outbound HTTP requests to third-party sites, which is expected for this skill.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only), so nothing is written to disk or downloaded during install. This is the lowest-risk installation model.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There are no disproportionate secret or credential requests relative to the simple web-scraping purpose.
- Persistence & Privilege
- okSkill is not marked always:true and uses default agent-invocation behavior. It does not request elevated persistence or modify other skills' configs. Autonomous invocation is allowed by default on the platform but is not combined with other risky privileges here.