Skillv1.0.0

ClawScan security

商业计划生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 25, 2026, 7:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill's code, instructions, and required environment variables are consistent with its stated purpose of generating business plans using OpenAI; it only requires an OpenAI API key for full (online) generation and otherwise behaves as a local template generator.
Guidance: This skill appears to do what it says: full mode sends your product description and prompt to OpenAI using the OPENAI_API_KEY, while quick mode runs locally without networking. Before using: (1) Only set a valid OPENAI_API_KEY if you accept that prompt text will be sent to OpenAI; avoid including sensitive IP, secrets, or confidential business data in the description. (2) Verify you install the official openai package from PyPI (pip install openai) and review the code locally if you want to confirm behavior. (3) Be mindful of API usage costs when using full mode; quick mode is safe and offline. If you need higher assurance, run the script in an isolated environment or inspect network traffic to confirm it only contacts OpenAI endpoints.

Purpose & Capability: okName/description (商业计划生成器) match the package contents: a quick template mode and a full mode that calls OpenAI. Required items (OPENAI_API_KEY, optional OPENAI_MODEL) are appropriate and expected for an OpenAI-backed generator. No unrelated credentials or binaries are requested.
Instruction Scope: okSKILL.md and README instruct running the included Python script and (for full mode) setting OPENAI_API_KEY. The runtime instructions do not ask for unrelated files, system state, or to transmit data to unexpected external endpoints. The code only sends the provided product description to the OpenAI API and writes output locally if requested.
Install Mechanism: okThere is no installer spec; dependencies are limited to the public 'openai' Python package (pip). No downloads from unknown hosts or archive extraction are present.
Credentials: okOnly OPENAI_API_KEY (required for full mode) and an optional OPENAI_MODEL are referenced. This is proportional to the functionality. The code checks only these environment variables and does not access other secrets or config paths.
Persistence & Privilege: okThe skill is not forced-always; it doesn't request elevated or persistent system privileges and only writes output to a user-specified file. Autonomous invocation defaults are unchanged (normal) and not combined with other red flags.