Skillv1.0.0

ClawScan security

Content Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 8:36 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (calls the TikHub API to analyze Xiaohongshu/Douyin content) but its runtime instructions and bundled script ask for and access things the SKILL.md does not declare (notably a TikHub API token and a user config file), and the script follows arbitrary redirects while explicitly clearing proxy environment variables — these mismatches and network behaviors are concerning.
Guidance: Before installing or invoking this skill, consider the following: (1) The bundled script requires a TikHub API token (TIKHUB_API_TOKEN) even though the skill metadata doesn't declare it — provide only a token with limited scope and review TikHub's docs and policies. (2) The script resolves short links and follows redirects to arbitrary targets; this means running it could cause requests to external or internal addresses (SSRF/network exposure). If you operate behind a proxy, note the script explicitly clears proxy env vars, which may bypass your network controls. (3) If you plan to use this, inspect the full script yourself or run it in a sandboxed environment/container; verify that it only calls api.tikhub.io and that the token is stored securely. Ask the author to update SKILL.md and metadata to declare TIKHUB_API_TOKEN and to warn about short-link resolving and proxy behavior before trusting the skill in a sensitive environment.

Review Dimensions

Purpose & Capability: concernThe skill's purpose is to analyze Xiaohongshu and Douyin content via the TikHub API, which aligns with the code's HTTP calls to api.tikhub.io. However, SKILL.md declares no required credentials or config, while the script reads a TikHub token from the TIKHUB_API_TOKEN environment variable or from ~/.openclaw/openclaw.json. The missing declaration is an incoherence: a TikHub token is necessary for the stated purpose but not declared in the skill metadata.
Instruction Scope: concernSKILL.md tells the agent to execute the bundled script at an absolute path. The script will (1) resolve short links by following redirects to arbitrary final URLs and (2) make outbound HTTP requests to TikHub endpoints. Resolving arbitrary short links means the skill will initiate requests to user-provided URLs (possible SSRF/network scanning of internal hosts). The SKILL.md's 'Risk Control' claims read-only behavior, but it does not warn about following redirects to arbitrary domains or the network implications of clearing proxy env vars.
Install Mechanism: okThere is no external install/download step — this is an instruction-only skill with a bundled Python script. No external archives or unknown installers are fetched during install, which lowers supply-chain risk. The script is run locally from the skill path.
Credentials: concernThe script requires a TikHub API token (TIKHUB_API_TOKEN) but the skill metadata lists no required env vars or primary credential. The script also attempts to read ~/.openclaw/openclaw.json to find a token, which accesses a user config file not declared in the metadata. Additionally, the script clears common proxy environment variables before making requests, which overrides user or sysadmin proxy settings and can bypass monitoring controls.
Persistence & Privilege: okThe skill is not marked 'always: true' and does not request persistent system privileges. It executes a local script when invoked. The only noteworthy behavior is that the script clears proxy-related environment variables in its process, which affects outbound networking for that execution but does not persist changes to the system.