Skillv1.0.0

ClawScan security

BizyAir 文件上传 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 2:04 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required inputs are consistent with a file-upload helper for BizyAir and do not request unrelated credentials or unusual system access.
Guidance: This skill appears to do exactly what it claims: upload files you point it at to BizyAir. Before installing/using it: (1) Only provide your BIZYAIR_API_KEY via an environment variable or secure channel — avoid pasting secrets into open chat messages. (2) Verify you trust BizyAir and the api/storage domains (api.bizyair.cn, storage.bizyair.cn) because uploaded files are sent there. (3) When running the script, be careful to specify only the files you intend to upload (it will read local file paths you give it). (4) You will need to install standard Python dependencies (requests, alibabacloud-oss-v2). If you want higher assurance, inspect the upload token and commit endpoints or test with a non-sensitive file and a scoped API key first.

Review Dimensions

Purpose & Capability: okThe name/description (uploading local files to BizyAir) matches the code and SKILL.md. The script talks to api.bizyair.cn to obtain STS/OSS upload parameters, uses Alibaba OSS SDK to upload the provided local file, and then registers the resource — all expected for this purpose.
Instruction Scope: okSKILL.md and the script only instruct the agent/user to provide a file path and an API key (env var or argument). The runtime steps are limited to calling BizyAir APIs, uploading the specified local file to OSS using temporary STS credentials, and registering the resource. There are no instructions to read unrelated system files, secrets, or send data to third-party endpoints beyond BizyAir/storage endpoints.
Install Mechanism: okThis is instruction + script only (no install spec). Dependencies are standard Python packages (requests, alibabacloud-oss-v2) cited in README; no downloads from untrusted URLs or archive extraction. Reasonable for a Python upload tool.
Credentials: okOnly BIZYAIR_API_KEY is referenced as required (and optionally passed as a CLI arg). No unrelated credentials or config paths are requested. The script will request the API key from env or command line, which is appropriate and proportionate for the stated functionality.
Persistence & Privilege: okSkill is not always-enabled, is user-invocable, and does not modify other skills or system-wide settings. It does not request elevated privileges or persistent system presence.