Back to skill
Skillv1.0.0
ClawScan security
什么值得买 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 2:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Chinese shopping-advice skill whose declared purpose, instructions, and metadata are internally consistent and do not request extra credentials, installs, or unusual privileges.
- Guidance
- This skill is instruction-only and internally consistent, but it expects the agent to be able to fetch current marketplace prices (Taobao/Tmall, JD, PDD, Douyin, local channels). Before installing, confirm whether your agent has network/browsing connectors or e-commerce integrations — otherwise answers will be heuristic, not real-time. There's no credential or install requirement, which limits risk, but also means the skill cannot itself query private APIs. If you need provenance, check the referenced GitHub repo (clawhub.json) or ask the publisher for a homepage/source; absence of a verified homepage simply means you can't easily audit its origin, not that the skill is malicious.
Review Dimensions
- Purpose & Capability
- okName/description (shopping price/value/discount advice) matches the SKILL.md guidance and the included metadata. The skill is purely advisory and does not declare any binaries, env vars, or config paths that would be unexpected for a price-comparison advisor.
- Instruction Scope
- okSKILL.md provides detailed, scoped runtime instructions for giving shopping verdicts, normalization rules, and which channels to compare. It does not instruct the agent to read unrelated files, access secrets, or transmit data to unexpected endpoints. It assumes the agent can access channel pricing data but does not encode any data-exfiltration steps.
- Install Mechanism
- okNo install spec and no code files — instruction-only. Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okNo required environment variables, credentials, or config paths are declared. The guidance about marketplaces is appropriate for the stated purpose and does not ask for unrelated secrets.
- Persistence & Privilege
- okalways:false and default autonomous invocation are used. The skill does not request permanent system presence or modify other skills or system settings.