Ai Intelligence Site

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its stated website-update purpose, but it embeds an undeclared Serper API key and can automatically commit and push changes to GitHub.

Review this skill before installing. It appears intended to update and deploy an AI intelligence website, but you should replace the embedded Serper key with your own declared environment variable, verify the Git remote and files that will be pushed, and only enable daily scheduling after confirming the output is safe to publish.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If installed as-is, the skill may make Serper API calls using an embedded shared or publisher-owned credential instead of a user-provided key, which can cause unexpected account, quota, reliability, or policy issues.

Why it was flagged

The script uses a hardcoded Serper API key if the user does not provide one, while the documentation describes the API key as a required environment variable. This is undeclared credential use.

Skill content

SERPER_API_KEY = os.environ.get('SERPER_API_KEY', '374959ea28cae888d8049ea2e34d8acc156c602b')

Recommendation

Remove the hardcoded key, require SERPER_API_KEY explicitly, and declare the credential in metadata so users know which account is being used.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Running the script can publish generated site changes, and potentially any other staged or matching local changes in its working area, to the configured GitHub repository.

Why it was flagged

The script automatically stages, commits, and pushes changes to the configured Git remote. This is consistent with the GitHub Pages deployment purpose, but it is a high-impact action with no interactive confirmation.

Skill content

subprocess.run(['git', 'add', '.'], check=True)
subprocess.run(['git', 'commit', '-m', f'data: 每日全量更新 {date_str}'], check=True)
subprocess.run(['git', 'push'], check=True)

Recommendation

Run it only in the intended repository, review changes before first use, and consider narrowing the files added instead of using `git add .`.

Low

#ASI10: Rogue Agents

What this means

After scheduling, the update script may keep modifying and pushing site data every day without further manual review.

Why it was flagged

The skill recommends configuring a daily scheduled update. This is disclosed and purpose-aligned, but it creates ongoing automated activity.

Skill content

设置定时任务每日更新

Recommendation

Only enable the schedule after verifying the target repository, credentials, generated changes, logs, and a clear way to disable the job.