Skillv1.0.2

ClawScan security

巨量广告自动化投放技能 - LemClaw Skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 12:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches an Ocean Engine ads automation tool, but there are multiple mismatches between its manifest, runtime instructions, and code (especially around required credentials and persistence) that warrant caution before installing.
Guidance: Before installing, note these issues and take precautions: - The registry metadata does not list the API credentials this skill actually needs; SKILL.md and the code require OCEANENGINE_ACCESS_TOKEN, APP_ID, APP_SECRET (and the code can use OCEANENGINE_REFRESH_TOKEN). Expect to provide sensitive API credentials. - The skill saves tokens/config to a local config.json in the working directory (unencrypted). If you install/run it, ensure the runtime environment is secure and delete or protect config.json when done. - The package contains executable Python code (not instruction-only). Review requirements.txt and the code locally, and run it first in a test/sandbox account (use the provided test mode) and with low budgets to avoid accidental spend. - Ask the publisher for provenance: why does registry metadata omit required env vars, and why does SKILL.md version (1.0.0) differ from registry version (1.0.2)? Verify the author (lemclaw / 乐盟互动) and obtain a canonical source/release (e.g., GitHub repo or official vendor distribution). - If you proceed, create dedicated API credentials with minimal permissions and short expirations where possible; monitor the account and revoke credentials after testing. If you want, I can: (1) highlight exact lines that persist secrets to disk, (2) list dependencies from requirements.txt for review, or (3) show a checklist of safe steps for testing this skill in a sandbox.

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md implement an Ocean Engine (巨量) ads client, automation, and optimizer — consistent with the declared purpose. However the registry metadata claims no required environment variables/credentials while the SKILL.md and code clearly require OCEANENGINE_ACCESS_TOKEN, APP_ID, APP_SECRET (and the code also reads OCEANENGINE_REFRESH_TOKEN). This manifest vs runtime mismatch is not proportional to the stated publishing metadata and undermines trust in the packaging.
Instruction Scope: noteRuntime instructions ask the user to install dependencies, set API credentials, and run automation commands (auto-launch, batch, monitoring). The instructions and code perform network calls to Ocean Engine endpoints (expected). The code persists auth state to a local config.json (stores access_token/app_secret/etc.), which is beyond simply using in-memory credentials and could persist secrets to disk — this is reasonable for an OAuth client but should be highlighted to the user.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but the package includes code files and a requirements.txt; SKILL.md instructs pip install -r requirements.txt. No suspicious remote downloads are used. The mismatch (no install spec declared while code is present) is an inconsistency but not an immediate malware indicator.
Credentials: concernThe SKILL.md declares OCEANENGINE_ACCESS_TOKEN, OCEANENGINE_APP_ID, OCEANENGINE_APP_SECRET, and optional OCEANENGINE_ACCOUNT_ID and OCEANENGINE_TEST_MODE. The registry metadata incorrectly lists no required env vars and no primary credential. The code also reads OCEANENGINE_REFRESH_TOKEN though SKILL.md doesn't list it. Requiring API keys/secrets is expected for this functionality, but the failure to declare them in the registry and the extra refresh token usage are concerning and reduce transparency.
Persistence & Privilege: noteSkill does not request elevated platform privileges and always:false. It does persist auth/config to a local file (config.json) via auth.save_config(), which stores tokens and secrets unencrypted in working directory. That local persistence is normal for clients but increases the risk that credentials remain on disk if not cleaned or protected.