Back to skill
Skillv0.1.1
ClawScan security
宽数题库 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 3:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only entry point for a multi-source quantitative problem repo and its declared commands and resources match the documented purpose.
- Guidance
- This skill is an instructions-only helper for a repo; it appears coherent. Before running any commands it recommends, review the repository (especially scripts/ and package.json) to confirm what network requests and shell commands the data-fetch/build scripts perform. Running npm install and the data scripts will fetch external data and dependencies; run them in a controlled environment (container/VM) if you are concerned. If you plan to deploy to Vercel, be aware that npx vercel deploy will use your Vercel account and credentials — do not expose secrets to any unreviewed scripts. In short: the skill itself is benign and aligns with its description, but exercise standard caution and inspect the repo code before executing build/fetch/deploy commands.
Review Dimensions
- Purpose & Capability
- okName/description match SKILL.md content: it documents repository structure, data sources, common commands and deployment info. It does not request unrelated credentials, binaries, or system access.
- Instruction Scope
- okRuntime instructions are limited to repository navigation, npm scripts, and Vercel deploy commands. They reference repo files and external data sources (the four listed providers) which is consistent with the stated purpose. Note: following the documented commands will execute project scripts and network fetches (expected for a data-scraping/build workflow).
- Install Mechanism
- okNo install spec or code files are included — the skill is instruction-only, so nothing is written to disk by an installer. This is the lowest-risk install model.
- Credentials
- okThe skill declares no required environment variables or credentials. However, practical use (npm install, running data-fetch scripts, or npx vercel deploy) typically requires network access and, for deployment, Vercel/GitHub credentials — those are not requested by the skill itself, which is appropriate.
- Persistence & Privilege
- okalways:false and normal model invocation settings. The skill does not request persistent system-level privileges or modify other skills' configs.