Skillv1.0.0

ClawScan security

Volcengine Database Rds · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:45 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only helper for Volcengine RDS operations and its requirements and behavior are internally consistent, though it is high-level and omits operational details (notably how API credentials are provided).
Guidance: This is a high-level runbook for Volcengine RDS and appears coherent, but it does not declare how the agent will authenticate to Volcengine or where API keys should come from. Before installing or using it, confirm how authentication/credentials will be supplied (platform connector, user-provided env vars, or manual steps). If you expect the skill to run API calls, require that it explicitly document required credentials and any endpoints it will call. As always, test in a non-production environment and avoid exposing long-lived secrets until you understand the integration path.

Review Dimensions

Purpose & Capability: noteThe name, description, and checklist align: the skill is a runbook for operating Volcengine RDS (inspect, validate, change, verify). However, a real operational integration would typically need Volcengine API credentials or a connector; the skill declares no required env vars or credentials. That omission is not necessarily malicious but is an incompleteness to be aware of.
Instruction Scope: noteSKILL.md provides a short, high-level execution checklist and safety rules that stay within the stated purpose (connectivity checks, parameter/backup guidance). The instructions are intentionally generic and leave broad agent discretion (e.g., 'Execute target operation' and 'Check connectivity'), which is appropriate for a runbook but could allow the agent wide latitude when operating — the doc does not instruct reading unrelated files or exfiltrating data.
Install Mechanism: okThere is no install spec and no code files to run — the skill is instruction-only. This has a low install risk because nothing is downloaded or installed on the host.
Credentials: noteThe skill lists no required environment variables or credentials. For a database operations helper one would normally expect at least a Volcengine API key/secret or instructions on using an existing provider connector; absence of declared credentials is a transparency gap but not an overt red flag by itself.
Persistence & Privilege: okThe skill does not request persistent presence (always is false) and does not modify other skills or system config. It is user-invocable and allows model invocation (the normal default).