Back to skill
Skillv1.0.0
ClawScan security
report-search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 8:15 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (searching and fetching reports from fxbaogao.com); it does network calls to the expected endpoints, requests no secrets, and does not install additional software.
- Guidance
- This skill appears to be what it says: local Python scripts that query api.fxbaogao.com and fetch report detail pages. Before installing/running: 1) Ensure you are comfortable allowing outbound HTTPS to api.fxbaogao.com and www.fxbaogao.com from the environment that will execute the scripts. 2) The skill does not ask for credentials, but it accepts optional env vars (FXBAOGAO_BASE_URL etc.) — do not set FXBAOGAO_BASE_URL to an unknown host unless you trust it. 3) Avoid setting FXBAOGAO_SSL_NO_VERIFY=1 except as a short-term debug workaround; disabling SSL verification exposes you to man-in-the-middle risk. 4) If you want extra caution, run the included validate.py and inspect fxbaogao_client.py (network code) yourself, or run the scripts in an isolated/containerized environment. 5) If you need the skill to run without external network access, it will not function properly — it requires outbound access to fetch search results and details.
Review Dimensions
- Purpose & Capability
- okThe name/description describe searching and extracting reports from fxbaogao.com and the package contains scripts that call fxbaogao APIs and render results. No unrelated binaries, credentials, or services are required by the skill.
- Instruction Scope
- noteSKILL.md instructs the agent to run the included search and detail scripts and to prefer summary_sections over dumping full content — this stays within scope. It also instructs operators that they may set FXBAOGAO_SSL_NO_VERIFY=1 to work around local certificate issues; that guidance is explicitly optional but is a potentially dangerous suggestion (disabling SSL verification weakens transport security) and should be used only under careful, temporary conditions.
- Install Mechanism
- okThere is no install spec and no external downloads; the skill is delivered as scripts and markdown only. That is low-risk from an install perspective (nothing is written to disk beyond the provided files).
- Credentials
- noteThe skill declares no required environment variables or credentials. The Python client accepts optional environment variables (FXBAOGAO_BASE_URL, FXBAOGAO_DETAIL_BASE_URL, FXBAOGAO_USER_AGENT, FXBAOGAO_HTTP_TIMEOUT, FXBAOGAO_SSL_NO_VERIFY). Those are reasonable for configuration, but changing BASE_URL could point the scripts at an arbitrary server if a user or operator overrides it — verify the endpoint before running. The skill does not request API keys, tokens, or other secrets.
- Persistence & Privilege
- okalways is false and the skill does not request persistent elevated privileges or attempt to modify other skills or global agent configuration. Autonomous invocation is allowed by default (normal) but is not combined with other concerning privileges.