Skillv1.0.0

ClawScan security

Hunter Search v1.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 6:52 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement the claimed Hunter bulk-export functionality, but its metadata and installation declarations are inconsistent with the code and SKILL.md (notably missing declared env/binary requirements), so review before use.
Guidance: This skill's code matches its description and calls only hunter.qianxin.com, but the package metadata is missing important details. Before installing or using it: 1) Treat HUNTER_API_KEY as a sensitive secret — provide it via environment variable or a secrets manager, not checked into repositories. 2) Run the script in a controlled environment (Python 3 virtualenv) and install requests (pip install -r scripts/requirements.txt). 3) Review the script yourself (it is included) to confirm network endpoints and to ensure you are comfortable with the API-key-in-query behavior; consider modifying it to send the key in an Authorization header if preferred. 4) Because the source is unknown, test with a limited/rotated API key first and avoid granting broader credentials. 5) If you expect the skill metadata to be authoritative, ask the publisher to correct the manifest to declare HUNTER_API_KEY, Python requirement, and any install steps before widespread use.

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md align with the stated purpose (calling 奇安信 Hunter OpenAPI to create/poll/download batch export tasks). However the skill does not declare required environment variables or binaries even though both are necessary: the script expects an API key (HUNTER_API_KEY or --api-key), Python 3 and the requests library. This mismatch between manifest and actual needs is an incoherence.
Instruction Scope: okSKILL.md and the CLI script stick to the described workflow: encode search, create task, poll status, download result to a local file. The instructions do not request unrelated files, other credentials, or unexpected external endpoints; network calls are limited to hunter.qianxin.com.
Install Mechanism: noteThere is no install spec (no automated install), which reduces risk, but the repository includes a requirements.txt and a Python script. The skill expects the requests package and Python 3 but the registry metadata did not declare these. The lack of an install step means a user/agent must install dependencies manually or may fail at runtime.
Credentials: concernThe script requires an API key (HUNTER_API_KEY or --api-key) to operate, which is appropriate for the service. However the skill metadata lists no required env vars or primary credential; this omission is a configuration inconsistency that could lead users to unknowingly supply secrets in the wrong way. Also the script sends the API key as a query parameter (api-key) — functional but less private than header-based auth.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It writes downloaded export files to the current working directory, which is expected behavior for this function.