Skillv1.0.0

ClawScan security

Alibaba Group · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 28, 2026, 2:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only informational skill (an encyclopedia-style writeup about Alibaba) with no installs, no requested credentials, and content consistent with its name and description.
Guidance: This skill is essentially a static encyclopedia-style article about Alibaba and is internally consistent. It does not request credentials or install software, so it presents low technical risk. Consider the following before installing: 1) source provenance—the skill's source is listed as unknown, so verify the content if you need authoritative or up-to-date data; 2) potential bias or outdated figures—use official filings or reputable news for critical decisions; 3) autonomy—the skill can be invoked by the agent (normal default), but it has no special privileges. If you need live metrics, API access, or actions (e.g., querying Alibaba Cloud), prefer a skill that explicitly declares the required credentials and install steps.
Findings: [no_regex_findings] expected: The static scanner had nothing to analyze because this is an instruction-only skill with no code files. That absence of findings is expected for a content-only skill.

Purpose & Capability: okThe skill's name/description (阿里巴巴集团) match the SKILL.md content: a timeline, business overview, and discussion of risks. There are no unrelated requirements or requested capabilities.
Instruction Scope: okSKILL.md is static content and a short metadata block (read_when). It does not instruct the agent to read local files, access environment variables, call external endpoints, or perform any actions beyond presenting the information.
Install Mechanism: okThere is no install spec and no code files. Nothing will be written to disk or downloaded during install.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths; requested access is proportional to an informational skill.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent system presence or modify other skills/configuration.