Back to skill
Skillv1.0.2
ClawScan security
xianyu-product-manager-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 28, 2026, 8:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested environment variables are coherent with its stated purpose of managing products on the Xianyu platform; nothing requested or described appears disproportionate or unrelated.
- Guidance
- This skill appears to be what it says: a Xianyu product-management helper. Before installing, verify the trustworthiness of the xianyu-api-client-skill (the included code imports it), and only provide XIAN_YU_APP_KEY and XIAN_YU_APP_SECRET you control and expect to be used for product creation. Replace the documented default Xianyu account value with your own account when creating products (the code defaults to a hardcoded example username). Be aware that images must be publicly accessible URLs — if you upload images to a CDN, confirm you control those URLs. If you plan to allow the skill to run autonomously, consider limiting its permissions on the Xianyu side (use least privilege API credentials) and review the xianyu-api-client-skill implementation for any data handling or unexpected external calls.
Review Dimensions
- Purpose & Capability
- okName/description, required env vars (XIAN_YU_APP_KEY, XIAN_YU_APP_SECRET), required binary (python), and the code (__init__.py) all align with a Xianyu product-management client. The SKILL.md explicitly depends on an xianyu-api-client-skill, which explains why the skill needs Xianyu credentials.
- Instruction Scope
- noteSKILL.md guides the agent through creating products, image sources (remote URLs, generated images, or uploaded-to-CDN), and requires an xianyu-api-client-skill. Those instructions stay within the product-management domain. Minor note: the doc references an image_generate tool and external CDNs — using those is expected for image handling but users should understand image hosting consequences (public URLs).
- Install Mechanism
- okThere is no install spec (instruction-only install), which is low risk. A Python implementation file is included and imports XianYuAPIClient from the declared xianyu-api-client-skill; this is expected and consistent.
- Credentials
- okOnly XIAN_YU_APP_KEY and XIAN_YU_APP_SECRET are required, which is proportionate for a platform API client. The primaryEnv is set to XIAN_YU_APP_KEY as declared. There are no unrelated credentials or broad system paths requested.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default), but there is no additional privilege escalation.