Bic Qa - 佰晟问答
Analysis
This is a coherent instruction-only BIC-QA API integration, but it uses a user-provided API key and sends the user’s question to BIC-QA’s external API.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
成功响应:JSON,通常含 `result` 字段。**请仅基于 `result` 与用户问题组织回答**,并遵守其中关于版本、措辞与结构的说明。
The skill makes the API result authoritative for the final answer. This is normal for a knowledge-base skill, but the agent should keep any returned instructions limited to answering the user’s specific question.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
集成层或 Agent 在发请求前需能读到 Key,并组装为 **`Authorization: Bearer <你的_API_Key>`**。... Agent 会按优先级依次尝试:环境变量 → 配置文件。
The skill requires an API key and instructs the agent to read it from an environment variable or local config file before calling BIC-QA. This is expected for the service, but it is still account credential use.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
curl -s -X POST "https://api.bic-qa.com/skills/qa" ... -d '{"question":"QUESTION","dbtype":"DBTYPE"}'The skill sends the user’s question and database/topic type to an external provider endpoint. The endpoint is disclosed and purpose-aligned, but user-provided content leaves the local agent context.