Skillv1.0.1

ClawScan security

wx-skill-caller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 13, 2026, 2:08 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's behavior is internally consistent with its description — it simply forwards user messages to the named backend endpoint and returns the JSON response — but it will transmit raw user content to an external service, so you should only enable it if you trust that backend.
Guidance: This skill does what it says: it will send the user's raw message text to https://test-gig-c-api.1haozc.com/api/wx/kjj/v1/customer/skill/call and return the service's JSON. Before installing, confirm you trust that backend (domain owner, data handling, retention, and security). Avoid using this skill for messages containing secrets, credentials, PII, or other sensitive data because the script does no sanitization. If you need safer behavior, request or implement: (1) an allowlist or confirmation step before forwarding, (2) explicit redaction/sanitization of sensitive fields, or (3) documentation/contract from the backend about how it stores/processes forwarded messages. Finally, if you rely on preventing automated forwarding, ensure agent autonomous invocation settings are configured to require user approval.

Review Dimensions

Purpose & Capability: okThe name, description, SKILL.md, and the included Python script all match: the skill takes user message text, POSTs it as the "content" field to the declared API URL, parses the JSON response, and returns it. There are no unexpected environment variables, binaries, or unrelated capabilities requested.
Instruction Scope: noteThe runtime instructions explicitly forward the user's raw message content to an external API and return the API's JSON. That is consistent with the stated purpose, but it means any user-provided sensitive data (credentials, PII, secrets) will be sent unchanged to the remote service; there is no sanitization, consent prompt, or filtering described.
Install Mechanism: okThis is an instruction-only skill with a small bundled script and no install spec or external downloads. Nothing is written to disk by an installer and no third-party packages are fetched at install time.
Credentials: okThe skill does not request environment variables, credentials, or config paths. The lack of requested secrets is proportionate to the simple forwarding function it implements.
Persistence & Privilege: noteThe skill is not always-enabled and is user-invocable (default). Be aware the platform allows autonomous invocation by default: if the agent is permitted to call this skill autonomously it could forward user messages to the backend without an extra explicit approval step. This is a privacy/consent consideration rather than an incoherence.