Skillv4.0.0

ClawScan security

sales-winner-assistant（赢单助手） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 4, 2026, 6:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated sales-assistant purpose, but its runtime instructions expect autonomous real-time data collection and automatic CRM/task updates while declaring no integrations or credentials — that mismatch and the automatic, no-prompt behaviors warrant caution.
Guidance: What to consider before installing: - Ask the publisher how the skill integrates with CRMs, calendars, email, or transcription services. The SKILL.md says it will "update customer profiles", "insert tasks into work plans", and "update CRM" automatically, but the skill declares no API keys/configs — confirm what connectors are used and whether credentials will be required or stored. - Require explicit confirmation behavior: insist the skill prompt the user before performing any writes or sending data to external systems (e.g., CRM updates, emails, task creation). If you want automated updates, restrict them to a test environment first. - Verify data sources and privacy: the skill performs broad web_searches (public sites, procurement portals, social sources) and may process PII (decision‑maker names, contact info). Ensure you’re comfortable with those sources and with how results are stored/retained by your agent platform. - Least privilege for credentials: if CRM / mail / transcription access is needed, provide dedicated, limited-scope service accounts and audit logs rather than full administrative credentials. - Test with non-sensitive targets: before using on real customers, run the skill against fictitious or public-company examples to confirm outputs, triggers, and that it does not leak internal data. - Logging and audit: enable request/response logging and review what the skill writes or transmits. Prefer an implementation that requires an explicit opt-in to 'automatic' features and that surfaces a changelog of any external writes. Confidence notes: I judged this as 'suspicious' (medium confidence) because the major incoherence is operational (expected write/update capabilities without declared integrations). If the publisher documents the connectors and required credentials and adds clear confirmation/consent controls, this would move toward 'benign.'

Review Dimensions

Purpose & Capability: okName/description (a Yonyou sales assistant) align with the instructions: web_search-based company analysis, sales playbooks, scripts, bid/POC guidance and follow-up plans are expected capabilities for such a tool.
Instruction Scope: concernSKILL.md repeatedly instructs the agent to perform real-time web searches, parse visit records (text/voice), auto-generate strategy reports, auto-create work plans and "update customer profiles" / "update CRM" and "set reminders" without additional user prompts. Those automatic side-effects (updating persistent records, CRM, tasks) extend beyond pure conversational output and could result in unexpected writes or transmissions if the agent has tool integrations. The skill does not define confirmation/consent gates for these automatic actions.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. All behavior is described in SKILL.md and local reference docs; nothing is downloaded or executed on install.
Credentials: concernThe instructions expect the ability to update CRM records, create tasks/reminders, transcribe audio, and possibly query private systems (e.g., procurement portals, paid databases). Yet the skill declares no required environment variables, credentials, or config paths for CRM/API keys, mailboxes, or transcription services. That gap is incoherent: legitimate integrations of this scope normally require declared credentials or explicit connector configuration.
Persistence & Privilege: notealways:false and model invocation not disabled (normal). However, multiple rules require the skill to 'automatically' carry out actions '无需用户额外提示' (without extra user input). Autonomous, automatic outputs combined with expectations to update persistent records increases blast radius if the agent has integrations. Recommend adding explicit user confirmation or scoped write permissions.