Back to skill
Skillv1.60.0
ClawScan security
Cloudbase · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 12:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only CloudBase (Tencent 云开发) documentation skill that is internally consistent with its stated purpose and does not request unexpected credentials, installs, or privileges.
- Guidance
- This skill is documentation for CloudBase and appears coherent with that purpose. Before installing or using it: - Treat it as a read-only reference set; review any example code before running it. - Do not paste secret keys into public chat prompts. For frontend examples use publishable/access keys only; for server code use secrets stored securely (not in chat). - If an agent or tool fetches the fallback raw URLs (cnb.cool), validate the source first. - The docs show patterns that write files and call management tools — ensure the agent has explicit permission to perform file writes or management API calls in your environment. If you want a deeper review (e.g., search for any specific example that logs or transmits sensitive data, or to verify the remote fallback URLs), provide access to the environment where the agent would run or ask for a scan of particular files.
Review Dimensions
- Purpose & Capability
- okThe skill is a large, self-contained set of CloudBase reference docs for building and deploying apps (Web, WeChat Mini Programs, mobile, cloud functions, AI model usage). Nothing in the file manifest or SKILL.md asks for unrelated capabilities (no AWS/GCP creds, no unrelated platform tokens). The included examples (Node/web/WeChat SDK usage) match the described purpose.
- Instruction Scope
- okRuntime instructions are documentation-focused: read the local 'references/' files, route to the appropriate sub-skills, follow guardrails (EnvId explicit, serialize JSON before writing files, etc.). The guide instructs the agent to read shipped reference files and to write output files when appropriate; it does not instruct reading arbitrary system files or exfiltrating data outside the CloudBase domain.
- Install Mechanism
- noteThere is no install spec (instruction-only), which is lowest-risk. The SKILL references fallback raw URLs hosted at cnb.cool for standalone usage; this is not an installer but does reference remote resources. If an agent is configured to fetch those URLs, verify their authenticity before executing fetched content.
- Credentials
- noteThe skill does not declare required env vars or credentials in metadata (no surprise credential requests). However, example code legitimately shows using publishable access keys for web SDK and secretId/secretKey for server-side Node initialization. These are expected for CloudBase tasks — treat secret keys with care and provide only the minimum credentials needed (prefer publishable keys for frontend).
- Persistence & Privilege
- okThe skill does not request persistent/always-on inclusion (always:false) and does not attempt to modify other skills or system-wide settings. Autonomous model invocation is allowed (platform default) but not combined with elevated privileges or undeclared credentials.