Skillv1.0.0

ClawScan security

aim-trade-news · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (query AEP trending_hub) but its metadata and runtime instructions mismatch and it instructs the agent to collect and persist a sensitive token from the user chat into a local .env file — behaviors that deserve caution.
Guidance: Before installing or enabling: 1) Be aware the skill asks you to provide an AEP_AUTHORIZATION token and instructs the agent to persist it to a .env file — the token will be shared in the chat you use to send it, which may be logged by the platform. 2) Ask the skill author/maintainer to update registry metadata to declare AEP_AUTHORIZATION as a required env var. 3) Prefer to set the token yourself in a secure environment (export AEP_AUTHORIZATION in the runtime environment or create .env locally) rather than pasting it in chat; if you must paste, rotate/delete the token after use. 4) Verify the API endpoint (https://aep.vemic.com) and the token source (https://tools.mentarc.cn/aim-skills/) are trustworthy for your organization. 5) If multiple agents run on the host, confirm isolation so the persisted .env cannot be read by other agents or users. If you cannot accept these risks, do not install or invoke this skill.

Review Dimensions

Purpose & Capability: concernThe skill's purpose is a small news query service and requires an AEP API token, which is referenced throughout SKILL.md and scripts. However the registry metadata lists no required environment variables/credentials. Requiring python3 is reasonable; requiring an AEP token is expected, but the metadata omission is an incoherence that makes the skill's declared requirements inaccurate.
Instruction Scope: concernSKILL.md explicitly instructs the agent to ask the user to paste their AEP_AUTHORIZATION token into the chat and then have the agent write that token into the skill's .env file. This meaningfully expands scope: it collects a user secret via chat, persists it to disk, and relies on the agent to perform file writes. The only network endpoint contacted by the script is aep.vemic.com, which matches the stated purpose.
Install Mechanism: okNo install spec; the skill is instruction-plus-a-small-Python-script. requirements.txt only requires requests. Nothing is downloaded from arbitrary URLs and the script is small and readable.
Credentials: concernFunctionally the skill needs a single credential (AEP_AUTHORIZATION) which is proportionate to its purpose, but the skill fails to declare this in the registry metadata. Additionally, the recommended user flow (paste token into chat) exposes the token to chat logs and potentially to the platform; the skill asks the agent to persist that secret to disk (.env). There are no other unrelated credentials requested.
Persistence & Privilege: concernThe skill requires the agent to write a persistent `.env` file in the skill directory containing the user's token. The skill does not request 'always: true' and does not modify other skills, but persisting secrets to disk increases blast radius (local persistence, possible cross-agent access if isolation isn't enforced). SKILL.md notes a policy '禁止跨 agent 读凭证' but this is an instruction, not an enforced sandbox.