Back to skill
Skillv1.1.0
ClawScan security
guanyuan data · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 25, 2026, 10:22 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it implements a CLI client for the GuanYuan Data API, and its files, instructions, and required I/O (config and token files under ~/.guanyuan, HTTPS requests to a configurable baseUrl) match the stated purpose.
- Guidance
- This skill appears to do what it says, but exercise normal caution before installing: 1) The source/publisher is unknown and there's no homepage — review the included script yourself before use. 2) The tool stores tokens and (optionally) base64-encoded passwords in ~/.guanyuan; these files are not encrypted by the script, so restrict file permissions (chmod 600 ~/.guanyuan/*) and avoid storing long-lived/high-privilege credentials on shared machines. 3) Verify the configured baseUrl points to your expected GuanYuan instance (default uses api.guandata.com). 4) If you need stronger security, prefer using short-lived or least-privilege tokens rather than storing passwords. 5) Because this is a local CLI script, run it in a controlled environment (or inspect the file) before adding it to PATH or granting it broad access.
Review Dimensions
- Purpose & Capability
- okThe name/description match the code and SKILL.md. The script implements login/token management, card data retrieval and CSV export and only requests access to ~/.guanyuan config and network to the configured baseUrl — all appropriate for an API client.
- Instruction Scope
- okRuntime instructions explicitly tell the agent to read/write ~/.guanyuan/config.json and ~/.guanyuan/user.token and to call the configured API endpoints; those actions are necessary for the declared features. There is no instruction to read unrelated files or to call unexpected external endpoints.
- Install Mechanism
- okThere is no automated install that downloads remote code; the skill is instruction + included script. It relies on Node.js being present (not installed by the skill). No suspicious external install URLs or archive extraction are present.
- Credentials
- okNo environment variables or external credentials are requested by the skill manifest. The code asks the user to provide credentials or a token in ~/.guanyuan/config.json — this is proportional to an API client. It uses process.env.HOME to locate the config directory, which is expected.
- Persistence & Privilege
- okThe skill persists only under the user's home (~/.guanyuan) and does not request always:true or modify other skill/system configurations. It writes/reads its own token and config files — suitable for this type of CLI tool.