通过调用成均智能的HTTP API接口，检测文本中的敏感信息、语法错误、标点符号问题等

WarnAudited by ClawScan on May 13, 2026.

Overview

The skill appears to perform the advertised content-checking API call, but its code disables HTTPS certificate verification, which could expose submitted text and the API key to interception.

Review carefully before installing. The integration itself is purpose-aligned, but the current code should not be used for sensitive or production content until HTTPS certificate verification is re-enabled and the handling of submitted text is clarified.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI07: Insecure Inter-Agent Communication

What this means

A network attacker or misconfigured proxy could potentially intercept or tamper with the submitted text and API key.

Why it was flagged

The skill disables HTTPS certificate verification globally before making requests to the external API, so the agent cannot reliably verify it is talking to the real provider.

Skill content

ssl._create_default_https_context = ssl._create_unverified_context

Recommendation

Do not use this skill with sensitive text or production credentials until certificate verification is restored and normal HTTPS validation is enforced.

Medium

#ASI07: Insecure Inter-Agent Communication

What this means

Text submitted for checking may appear in request URLs and logs, which is riskier for sensitive drafts or compliance material.

Why it was flagged

The submitted text is placed into the URL query string for a POST request, which can increase exposure through URL logging by clients, proxies, or servers.

Skill content

url = url + "?" + urllib.parse.urlencode(params) ... params={"text": text}

Recommendation

Send the text in the request body if the provider supports it, and document exactly where submitted content may be logged or retained.

Low

#ASI03: Identity and Privilege Abuse

What this means

Installing users must provide a valid provider credential, and that credential will be used to call the external API.

Why it was flagged

The skill requires a provider API key, which is expected for this integration, but users should notice that the registry requirements section did not declare required environment variables.

Skill content

"name": "CHENGJUN_API_KEY", "description": "成均平台API密钥", "required": true

Recommendation

Use a limited-scope API key if available, rotate it if exposed, and ensure the registry metadata accurately declares the required credential.