Skillv1.0.0

ClawScan security

收款测试，每次0.01 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 1, 2026, 11:34 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is mostly coherent with a low-value payment-test flow, but it contains hard-coded cryptographic keys and other inconsistencies that make payment verification trivially forgeable and raise operational concerns.
Guidance: Key points to consider before installing or using this skill: - Security-critical flaw: the symmetric SM4 key (SM4_KEY) is hard-coded in the repository. Because the same key is used to decrypt/validate payment credentials, anyone with this code can fabricate a valid credential (payStatus: SUCCESS, matching orderNo and amount) and bypass payment. Do NOT use this for real payments without redesigning the verification. - If you intend to use it only as a local developer demo, consider replacing the embedded key with a server-side secret that is never stored in client code and verify payments server-side against the real payment provider. - The SKILL.md contains incorrect script paths relative to the included files; update the commands to point to the actual script locations (or move files) before relying on the instructions. - The code depends on the gmssl.SM4 library but the skill declares no dependency list; the runtime environment must install this package. - The SKILL.md metadata requests 'credential.read' but the skill does not explain why platform credentials would be needed — remove unnecessary permissions or justify them. - Because the repository leaks secret material (SM4 key) and has verification logic that is trivially bypassable, avoid installing/trusting this skill in production or with real money. If you want, I can suggest secure alternatives (server-side payment verification, removing embedded keys, or integrating with a vetted payment provider) and help rewrite the flow.

Review Dimensions

Purpose & Capability: noteThe skill claims to be a 0.01 CNY payment-test + AI writing demo and the code implements order creation, encryption, and post-payment service execution — this matches the stated purpose. However, the repository embeds a symmetric SM4 key and a PAY_TO value directly in code (used for both creating and validating payment tokens), which is unusual for a payment flow and undermines the security of the payment check. The SKILL.md metadata also requests 'credential.read' permission which is not justified by the described workflow.
Instruction Scope: concernRuntime instructions tell the agent to run local Python scripts and to call an external 'clawtip' skill for payment, which aligns with the purpose. But the SKILL.md uses paths like 'skills/clawtip-aiwriter/scripts/...' while the actual files are at 'scripts/...', an actionable mismatch that will break execution. The scripts rely on a shared symmetric key for verifying payment credentials; because that key is hard-coded and present in the repo, anyone with the code can create a valid 'credential' and bypass payment — this is a direct logic/security problem in the instructions+code.
Install Mechanism: noteThis is an instruction-only skill with bundled scripts (no install spec), so nothing is downloaded at install time. The scripts import gmssl.sm4 (gmssl), but no dependency or environment guidance is declared in the SKILL.md — the runtime may fail if gmssl isn't installed.
Credentials: concernNo environment variables or credentials are declared as required, yet the SKILL.md metadata lists 'credential.read' permission. The code embeds sensitive material (SM4_KEY and PAY_TO) in plaintext inside the repository. Embedding the symmetric key makes credential verification trivial to forge and is disproportionate/unsecure for a payment flow. There is no justification for requesting credential-read permission from the agent/platform in the presented workflow.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) and appropriate for an invoicing/payment helper. No persistence/privilege escalation is evident.