Back to skill
Skillv1.2.0
ClawScan security
Meituan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 10:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only Meituan decision helper is internally consistent with its description: it contains heuristics for recommending whether to place an order and does not request credentials, install code, or instruct network or sensitive access.
- Guidance
- This skill is a heuristic, instruction-only helper that does not access your Meituan account or request keys—it's designed to ask you (or use provided menu/cart details) and return a recommendation. Before installing: (1) don't paste account credentials or private order data into prompts; (2) expect output to be judgment calls based on the information you provide (not live API data); (3) if you need live inventory/pricing from Meituan, prefer an integration that explicitly lists the API and required credentials. Overall the skill appears coherent and low-risk, but treat its recommendations as advisory rather than authoritative.
Review Dimensions
- Purpose & Capability
- okThe name/description match the runtime instructions: the SKILL.md describes decision rules for pricing, delivery time, merchant risk, and refund practicality. No unrelated capabilities (cloud access, account manipulation) are requested.
- Instruction Scope
- okSKILL.md is an instruction-only document that defines how to evaluate a Meituan ordering decision using publicly observable factors and user-provided order/cart details. It does not instruct the agent to read system files, access environment variables, call external endpoints, or exfiltrate data.
- Install Mechanism
- okThere is no install spec and no code files to execute. The package.json/main points to SKILL.md; nothing will be downloaded or written at install time.
- Credentials
- okNo required environment variables, credentials, or config paths are declared. The SKILL.md explicitly states it does not log in or access account state, so requested access is proportional to the stated purpose.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent system privileges or modifications to other skills or agent-wide settings.