Skillv1.0.1

ClawScan security

Maoyan CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 3:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it runs a local Python CLI that fetches and parses maoyan (m.maoyan.com) pages to return cinema/show/movie data; nothing requested or installed is disproportionate beyond a small metadata omission (Python runtime).
Guidance: This skill appears to do what it says: run the bundled Python CLI to scrape/query Maoyan mobile endpoints and return structured JSON. Before installing, note: (1) it requires a Python 3 runtime even though the registry metadata does not declare it — ensure the agent environment has Python and network egress to m.maoyan.com; (2) the skill will make outbound HTTP(S) requests to m.maoyan.com (no other endpoints) and may accept user-provided lat/lng values; (3) running code from third-party skills carries inherent risk — you reviewed this script and it only queries Maoyan, but only install if you trust the skill owner; (4) be mindful of any site Terms-of-Service or rate limiting when scraping external sites. If you want higher assurance, confirm the working-directory assumptions in SKILL.md (the script path) and consider running the script in an isolated environment.

Review Dimensions

Purpose & Capability: okThe name/description claim to query Maoyan for cities, cinemas, shows and movie details, and the code + SKILL.md implement exactly that by calling Maoyan mobile endpoints and parsing HTML/JSON. No unrelated services, credentials, or unexplained requirements are present.
Instruction Scope: noteSKILL.md instructs the agent to execute the included Python script and parse its JSON output. The instructions remain scoped to fetching/parsing Maoyan endpoints and using optional user location (lat/lng) to sort by distance. They do not request unrelated files, credentials, or external endpoints beyond m.maoyan.com. Note: SKILL.md refers to the runtime path 'skills/maoyan-cli/scripts/maoyan_cli.py' — the skill bundle contains scripts/maoyan_cli.py, which is consistent in intent but the exact working-directory assumption should be confirmed when installing.
Install Mechanism: noteThere is no install spec (instruction-only), and the bundle includes a Python script that will be run locally. That is low risk compared to remote downloads. However, the metadata did not declare a required binary: the skill expects a Python 3 runtime (runs 'python ...') but 'required binaries' is empty in the registry metadata — a minor mismatch to be aware of.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The included code does not read secrets or environment variables. All network calls are to the Maoyan mobile domain (m.maoyan.com), which matches the stated purpose.
Persistence & Privilege: okThe skill is not marked always:true and does not attempt to modify other skills or system-wide settings. It only runs as-invoked and outputs JSON; no persistent privileges are requested.