Skillv1.0.7

ClawScan security

智慧餐饮 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 8:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill’s stated purpose (restaurant assistant) matches its runtime instructions, but there are inconsistent and unexplained deployment/privacy details (IP vs domain, multiple domains/contact points, TLS/auth ambiguity) that merit caution before use.
Guidance: This skill appears to implement a normal restaurant assistant, but there are red flags you should verify before installing or using it in production: - Endpoint vs Domain: skill.json uses an HTTPS IP (https://132.33.3.231/mcp) while PRIVACY.md and skill.json reference multiple domains (www.airesistant.com, ai-restaurant.cloud, clawhub.ai). Ask the maintainer to confirm the real service hostname, provide a valid TLS certificate for that hostname, and explain why an IP is used. - TLS / Certificate: an IP-based HTTPS URL will normally not match a Let's Encrypt domain certificate. Confirm the agent will validate TLS certificates and that the certificate CN/SAN matches the expected host. - Authentication: skill.json lists 'ip_whitelist' but the SKILL.md gives no client-side auth instructions. Ask how the agent should authenticate (API key, client cert, signed requests) so requests are not accepted anonymously. - Data handling: the skill will send PII (phone, address, order contents) to the remote MCP. Confirm retention, logging, and deletion practices (PRIVACY.md claims short retention, but reconcile with who hosts the endpoint). If you are deploying this for a restaurant, test in an isolated environment and review network traffic to confirm the endpoint and cert. - Provenance & contact: the package references multiple domains and a contact email — request a clear homepage, repository, and deployment details (who operates 132.33.3.231?). Prefer skills with consistent domain names, verifiable HTTPS certs, and public source or vendor contact you can validate. If you cannot get satisfactory answers (valid hostname/cert, explicit auth method, consistent privacy claims, clear operator identity), do not deploy this skill where it will handle real user PII.

Review Dimensions

Purpose & Capability: noteName/description, declared tools (menu, order, reserve, queue, member, etc.) and SKILL.md instructions align: an AI agent calling a remote MCP service to manage restaurant flows is coherent. However, the declared MCP endpoint is an HTTPS IP address (https://132.33.3.231/mcp) while several different domains appear in privacy/metadata (www.airesistant.com, ai-restaurant.cloud, clawhub.ai). The mismatch between IP and multiple domains (and a misspelling 'airesistant') is inconsistent with the claimed TLS/domain setup and is unexplained.
Instruction Scope: concernSKILL.md instructs the agent to POST JSON-RPC (MCP) to the mcp_server.url and to send/operate on user data (user_id, phone, delivery address, order contents). That is expected for an ordering skill, but the instructions do not specify authentication/authorization for the MCP calls, nor do they require verifying the server certificate/domain. The agent will transmit personal data (phone, address) to the remote MCP endpoint — acceptable for purpose but risky given the endpoint/auth ambiguities.
Install Mechanism: okInstruction-only skill with no install spec and no code files present — lowest install risk. Nothing is written to disk by an installer in the package itself.
Credentials: noteSkill declares no required environment variables or credentials, which is consistent for an instruction-only wrapper that delegates to an external MCP. However, the skill will cause the agent to transmit PII (phone numbers, addresses, order details) to a remote server; absence of declared auth credentials (API key, OAuth) combined with 'auth_method': 'ip_whitelist' in skill.json is an operational gap — how the agent authenticates/authorizes calls is unspecified.
Persistence & Privilege: okalways is false and autonomous invocation is allowed (platform default). The skill does not request persistent system-level privileges or modify other skills. No concerns in this dimension alone.