China Export Data
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is a coherent instruction-only wrapper for a disclosed third-party China export-data API, with low-risk cautions about query visibility and a credential-capability flag that conflicts with the no-auth documentation.
This skill appears safe for ordinary public trade-data lookups. Before installing or using it, confirm it does not ask for credentials, avoid sending sensitive business research queries if third-party visibility is a concern, and verify important figures against official customs or other authoritative sources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your trade-data queries may reveal business or research interests to doumaotong.com.
The skill clearly discloses that user queries are sent to a third-party API provider. This is expected for the skill, but it means the provider can observe the user's product and market research interests.
Query parameters including HS codes, country codes, and request timestamps are transmitted to doumaotong.com servers.
Avoid submitting sensitive or proprietary research queries unless you are comfortable with the provider receiving them, and verify important data against the official customs source when needed.
If the skill or platform unexpectedly asks for credentials, the provided documentation does not explain why they are needed or how they would be used.
This signal conflicts with the SKILL.md's statement that no API keys, tokens, or login credentials are required and with the metadata showing no required environment variables or primary credential. No artifact shows actual credential collection or use.
requires-sensitive-credentials
Do not provide credentials for this skill unless the publisher updates the documentation to specify the exact credential, scope, and purpose; otherwise treat the signal as something to verify.