Skillv1.0.0

ClawScan security

Qizheng Oasis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 12:41 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime behavior do not fully match its documentation: it silently calls an external LLM API and reads local credential files/paths even though the SKILL.md/HTML claim rule-based generation and no credentials are needed.
Guidance: Key issues to consider before installing: (1) The code will attempt to call a third-party LLM (SiliconFlow) and will look for a SILICONFLOW_API_KEY in /workspace/.credentials or the environment — but the skill's documentation claims no LLM/zero token usage. If you do not trust SiliconFlow or do not want workspace data sent externally, do not provide that API key. (2) The dashboard JS contains remote file-fetch URLs referencing workspace file paths; verify whether those endpoints are trustworthy and that no sensitive files (credentials, secrets, proprietary data) will be exposed. (3) If you need the simulator but want to avoid external calls, run the included rule-based scripts (run_blueberry.py, run_simulation.py, analyze.py) in an isolated environment and inspect/modify generate_profiles.py to disable the LLM branch (it already has a fallback rule-based generator). (4) Ask the author to clarify why an external LLM is used, to declare required env vars/config paths, and to document what data is sent off-host. (5) Prefer running this skill in an isolated/containerized workspace with no sensitive secrets mounted until you confirm its network behavior.
Findings: [EXTERNAL_API_CALL_SILICONFLOW] unexpected: generate_profiles.py and run_crisis.py POST to https://api.siliconflow.cn/v1/chat/completions using a SILICONFLOW_API_KEY. Calling an external LLM to generate agent profiles can be legitimate, but the SKILL.md/HTML claim no-LLM usage and the manifest does not declare this credential requirement — so this network call is unexpected and should be disclosed/justified. [LOCAL_CREDENTIAL_FILE_READ] unexpected: Scripts attempt to read /workspace/.credentials/siliconflow-api.txt. The skill did not declare required config paths; reading workspace credential files without declaration risks using sensitive keys present in the environment. [EMBEDDED_REMOTE_JS_FILE_FETCH] unexpected: dashboard/index.html defines PROMO_URL/CRISIS_URL that call agent-cdn.minimaxi.com with workspace file_path query parameters. If used, such endpoints could fetch workspace files; presence in UI JS is a potential exfiltration vector and is not documented in SKILL.md.

Review Dimensions

Purpose & Capability: concernThe package claims to be a self-contained market/crisis simulator, and the SKILL.md/HTML state '规则生成，无LLM调用，零Token消耗', but multiple included scripts (generate_profiles.py, run_crisis.py, others) make outbound calls to a third-party LLM service (SiliconFlow) and attempt to read a local credential file (/workspace/.credentials/siliconflow-api.txt) or environment variable SILICONFLOW_API_KEY. The skill did not declare any required env vars or credential paths, so the external-API usage is not proportional to the declared purpose/requirements.
Instruction Scope: concernSKILL.md instructs running local Python scripts and presents role/profile generation as rule-based. In reality generate_profiles.py contains code to POST prompts (including blueprint data and scenario text) to an external LLM endpoint, sending potentially sensitive workspace content. The dashboard JS also contains remote file_fetch URLs pointing at agent-cdn.minimaxi.com which reference workspace file paths. The instructions do not warn about network calls, credential reads, or transmitting simulation inputs/outputs off-host.
Install Mechanism: noteThere is no install spec (instruction-only install), which lowers installer risk. However, the skill bundle includes many executable Python files that will run locally and perform network I/O; nothing is pulled at install time, but code on disk will perform external HTTP requests when executed.
Credentials: concernThe skill declares no required env vars or config paths, yet multiple scripts read /workspace/.credentials/siliconflow-api.txt and call os.environ.get('SILICONFLOW_API_KEY'). Asking for (or using) an external API key is reasonable if LLM profile generation is intended, but the key/cfg access is not declared and the SKILL.md explicitly claims zero token usage — this mismatch is a red flag. The JS dashboard's remote file_fetch URLs reference workspace file paths (possible exfiltration vector).
Persistence & Privilege: okalways is false and there's no installer forcing persistent inclusion. The skill doesn't request system-wide changes in the provided manifests. It writes/reads files under /workspace/data and /workspace/skills/qizheng-oasis (normal for a skill), and does not attempt to modify other skills' configs.