Back to skill
Skillv0.1.0
ClawScan security
Alipay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 9:05 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (summarize public Alipay pages) matches its instructions and it requests no credentials, installs, or unusual privileges.
- Guidance
- This skill appears coherent and low-risk: it only describes reading public Alipay pages and requires no credentials or installation. Before enabling, consider: ensure the agent enforces the 'no login / no payment' rule in practice; confirm scraping respects Alipay's robots.txt and terms of service and rate limits; monitor network requests for unexpected destinations (in case the skill is later changed); and avoid providing any Alipay account credentials or secrets to the skill.
Review Dimensions
- Purpose & Capability
- okName/description match SKILL.md: the skill only targets public Alipay product/announcement/city-service pages and explicitly excludes login or payment actions. No unrelated credentials or binaries are requested.
- Instruction Scope
- okRuntime instructions are limited to visiting and parsing public pages, waiting for dynamic load, extracting specified fields, and respecting rate limits. The SKILL.md does not instruct reading local files, accessing unrelated env vars, or sending data to unfamiliar endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or fetched during install.
- Credentials
- okNo environment variables, credentials, or config paths are required; this is proportionate for a public-page summarization skill.
- Persistence & Privilege
- okalways:false and user-invocable:true (defaults) — the skill does not request forced inclusion or elevated platform privileges and does not modify other skills or system-wide config.