Category Selection
PassAudited by ClawScan on May 10, 2026.
Overview
该技能的行为与亚马逊品类调研报告生成目标基本一致,但会运行本地脚本、调用 Sorftime 外部 API、读取 .mcp.json 中的 API Key,并在本地保存报告和日志。
Before installing, make sure you trust the included scripts and Sorftime API integration, confirm that using the .mcp.json API key is acceptable, choose analysis limits carefully to avoid unnecessary API usage, and keep generated report/log files in a trusted location.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running an analysis can execute local scripts, send the requested category/site to Sorftime, and consume API quota.
The skill instructs local Python execution and outbound MCP API calls. This is central to the stated report-generation purpose, but users should notice that the agent may run commands and call a paid/credentialed provider.
python .claude/skills/category-selection/scripts/workflow.py "Sofas" US 20 ... curl -s -X POST "https://mcp.sorftime.com?key={API_KEY}"Run it only in a trusted workspace, review the requested category/limit before execution, and keep API usage limits in mind.
The skill can use the Sorftime account/API key already configured in the project, which may incur provider usage or expose the key if the workspace is not trusted.
The script automatically extracts the Sorftime API key from local MCP configuration. This is purpose-aligned for calling Sorftime, but it is credential use and is not declared in the registry requirements.
config_file = Path(".mcp.json") ... url = config['mcpServers']['sorftime']['url'] ... return url.split('key=')[-1]Use a scoped Sorftime key where possible, verify .mcp.json before running, and do not install the skill in workspaces where that key should not be used.
A user may not realize from the registry metadata that installing the skill includes local code intended to be executed.
The registry/install metadata describes no install mechanism, while the artifact includes and documents runnable Python scripts. This is not malicious by itself, but the runtime/dependency surface is under-described.
No install spec — this is an instruction-only skill. Code file presence: 17 code file(s)
Review the included scripts and ensure Python dependencies are installed from trusted sources; the publisher should declare runtime requirements and config usage.
Local report files may reveal which markets or categories the user is researching.
The workflow persists generated reports, raw decoded data, keyword/trend data, and execution logs locally. This is expected for reporting, but it can retain business research context.
category-reports/ ... report.md ... data.json ... top_products.json ... scores.json ... execution.log ... keywords.json ... trend_data.json
Store generated reports in a trusted project directory and delete or archive them according to your data-retention needs.