Skillv1.0.0

ClawScan security

anjuke-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 12:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described automation purpose largely matches the instructions, but it asks for sensitive credentials/ID data and tells the agent to persist those secrets in skill documents, and it claims full browser automation without declaring how that will be performed — these inconsistencies raise privacy and operational concerns.
Guidance: This skill will ask for your Anjuke login (phone and password) and personal ID info (last 6 digits) and then tell the agent to save those values into skill documents. Before installing or using it: 1) Prefer a solution that uses an official API or a platform secrets store instead of saving plaintext credentials into skill docs; 2) If you must test, use a throwaway/dummy account (not your real account or real ID); 3) Ask the publisher (unknown here) how credentials are stored, who can access them, and for what retention period; 4) Confirm how browser automation will be performed (does the agent drive your local browser, require a headless browser, or expect network access to internal systems); 5) Avoid giving ID information unless absolutely necessary for a single interactive verification step; and 6) Because the source is unknown and some subskills contain vague/placeholder steps, treat this skill as high-risk and do not supply real credentials until the storage and automation details are clarified.

Review Dimensions

Purpose & Capability: noteThe name/description (automating Anjuke account login, publishing, optimizing listings, verification) aligns with requesting account credentials and interacting with Anjuke pages. However the skill claims full end-to-end automation (open default browser, perform actions, read internal '内网' data) but declares no required binaries, tools, or permissions (no browser-automation tooling, no network/access requirements). That mismatch (claiming automation but not declaring the capabilities required) is notable.
Instruction Scope: concernThe runtime instructions explicitly ask the agent to solicit highly sensitive user data (phone number login, password, user name, last 6 digits of ID) and then update/persist those secrets into the subskill document (login_your_account). Persisting plaintext credentials/ID fragments into skill documents creates a high risk of accidental disclosure or exfiltration. The publish_house reference is vague/placeholder ('怎么做怎么做'), giving the agent broad latitude. All of this expands the agent's scope beyond narrowly defined actions and increases risk.
Install Mechanism: noteThere is no install spec or code — lowest surface area. That said, as an instruction-only skill it depends on the agent/platform having the ability to open and control a browser and access internal systems; those capabilities are not declared. The absence of declared automation tooling or required permissions is an operational inconsistency (not necessarily malicious but concerning).
Credentials: concernThe skill requests no environment variables, but it instructs the agent to collect and store very sensitive user secrets (password and ID bits). While credentials are logically needed to log in, the instruction to persist them in skill docs (without guidance for secure storage such as a secrets store or encryption) is disproportionate and risky. There is also mention of pushing '内网' data — the skill doesn't ask for or justify any internal-system credentials or access method.
Persistence & Privilege: concernalways:false (good), but the skill explicitly instructs persisting user credentials and ID fragments into subskill documents. That creates durable sensitive state inside the skill's stored files/configs and increases blast radius if the platform stores or exposes those documents. The skill does not describe secure storage or retention policies.