Skillv0.1.0

ClawScan security

Zhaopin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 8:09 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only helper for summarizing public job and company pages on zhaopin.com; its declared scope, lack of credentials/install, and instructions are internally consistent.
Guidance: This skill appears coherent and low-risk: it only documents how to fetch and summarize public job/company pages and asks for no credentials or installs. Before installing, consider: (1) ensure your agent has an approved web-browsing tool (the skill assumes web access but doesn't declare it); (2) decide whether you want the agent to run autonomously (it could perform repeated requests unless you constrain it); (3) monitor for unintended scraping or capture of personal contact information in job postings and ensure compliance with zhaopin.com's terms of service and rate limits; (4) prefer manual or rate-limited workflows if you want to avoid accidental bulk collection. If you need stronger guarantees, restrict autonomous invocation or require explicit user confirmation before each fetch.

Review Dimensions

Purpose & Capability: noteThe name/description match the instructions (search and summarize public Zhaopin pages). The skill requests no credentials or installs, which is proportionate, but it does not declare any explicit web-browsing dependency (e.g., a browser/tool) — so it implicitly depends on the agent platform providing web access to function.
Instruction Scope: noteSKILL.md limits actions to public-page retrieval, disallows login/automated applying and bulk scraping, and suggests manual triggering for pages with dynamic rendering. Instructions are high-level (search → extract → summarize) and do not ask the agent to read unrelated files or secrets. Because the steps are abstract, an autonomous agent could still implement them in ways that perform heavier scraping or collect more data than intended — the doc itself recommends frequency control and compliance.
Install Mechanism: okNo install spec or code files are present (instruction-only). Nothing is written to disk or downloaded by the skill itself.
Credentials: okNo environment variables, credentials, or config paths are requested — this aligns with the stated purpose of only accessing public web pages.
Persistence & Privilege: okThe skill is not flagged as always:true and requests no persistent system configuration. It uses the platform's normal autonomous invocation capability (default), which is expected for skills but should be considered by the user if they are concerned about automated web access.