Skillv1.0.0

ClawScan security

Vibe Coding 可行性评估 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 8:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code will send your project descriptions to an external LLM API keyed by an API token, but the skill metadata declares no required credentials — this mismatch and the external endpoint use are unexplained and worth caution.
Guidance: This skill runs a bundled Python script that sends your idea text to an external LLM API and requires an API key — but the skill metadata did not declare that requirement. Before installing or running: 1) Review scripts/evaluate_vibe.py (you already have it) and confirm you are comfortable sending the kinds of ideas you will query to the default API_BASE (https://api.deepseek.com) or whichever endpoint you set. 2) If you have sensitive or proprietary ideas, do not provide them unless you trust the endpoint and its privacy/retention policy. 3) Provide an API key you control (prefer OPENAI_API_KEY if you prefer OpenAI) rather than reusing high-privilege or long-lived credentials. 4) Ask the publisher to update the skill metadata to list the required env var(s) and document the default API endpoint and privacy expectations. 5) If unsure, run the script in a sandbox or with non-sensitive example prompts first.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (assess whether tasks can be done with AI coding tools) reasonably requires calling an LLM. However, the package metadata declares no required env vars/credentials while the shipped script expects OPENAI_API_KEY or DEEPSEEK_API_KEY; that mismatch is unexpected and should have been declared.
Instruction Scope: noteSKILL.md instructs the agent to run the bundled script (scripts/evaluate_vibe.py) with a user-provided idea. The instructions themselves do not request unrelated files, but the script will transmit the idea text to an external chat/completions endpoint — user content (potentially sensitive) will leave the environment.
Install Mechanism: okNo install spec and no third-party downloads. The skill is instruction-only plus a local CLI script, so nothing is fetched or extracted at install time.
Credentials: concernThe script requires a single API key (OPENAI_API_KEY or DEEPSEEK_API_KEY) and uses API_BASE defaulting to https://api.deepseek.com. The registry metadata and SKILL.md do not declare this requirement (README does mention DEEPSEEK_API_KEY), creating an undeclared secrets dependency. Sending user ideas and context to an external LLM endpoint may expose proprietary or sensitive information — the destination (deepseek.com) and its privacy policies are not documented here.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges, does not modify other skills, and does not require system-level config changes.