v2.0.0

AI搭子匹配平台

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:40 AM.

Analysis

The skill mostly matches its stated local profiling purpose, but its data-save command uses unvalidated input as a file path and should be reviewed before installation.

GuidanceReview this skill before installing. It appears designed for local AI-usage profiling rather than exfiltration, but the file-write path should be fixed to prevent path traversal, and you should be comfortable with local storage of your usage profile. Avoid supplying any API key unless the publisher clearly documents and declares that optional credential.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/token-collector.js

data = JSON.parse(jsonStr); ... const filePath = path.join(DAILY_DIR, `${date}.json`); fs.writeFileSync(filePath, JSON.stringify(data, null, 2), 'utf-8');

The date value comes from the input JSON and is used as part of the output path without rejecting slashes, '..', or checking that the resolved path stays inside data/daily.

User impactMalformed or adversarial saved data could cause the script to write a JSON file outside the intended skill data folder, potentially overwriting other local JSON files.

RecommendationValidate date as a strict YYYY-MM-DD value, reject path separators and '..', and use path.resolve plus a containment check before writing.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceMediumStatusNote

references/guide.md

生成用户画像（可选：设置 ANTHROPIC_API_KEY 获得AI增强总结） ... API 调用仅用于生成文本总结

The guide mentions an optional provider API key and API use even though the registry declares no credentials and the main SKILL.md says no external API calls.

User impactA user might provide a third-party API key based on the guide, despite the credential and network behavior not being consistently declared.

RecommendationDo not provide an API key unless you confirm the feature is needed; the publisher should either declare the optional credential clearly or remove the stale API-key guidance.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

AI agent 使用 `session_status` 获取当前 session 的使用数据 ... `tokenUsage` ... `modelFrequency` ... `toolCallFrequency` ... `installedSkills` ... 所有数据存储在 skill 自身目录的 `data/` 下

The skill intentionally persists usage telemetry and derived profiles for later viewing and matching.

User impactYour local AI usage patterns, installed skill list, and profile labels may be stored and reused by this skill.

RecommendationInstall only if you are comfortable keeping this local profile, and review or delete the skill's data directory before sharing profiles or uninstalling.