Back to skill
Skillv1.0.1
ClawScan security
China Phone Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 22, 2026, 10:23 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent: it needs a single apipick API key and simply issues POST requests to apipick.com to validate Chinese phone numbers — there are no unrelated credentials, installs, or hidden behaviors in the package.
- Guidance
- This skill appears to do exactly what it says: it will send phone numbers you supply to apipick.com and return carrier/geographic info. Before installing or using: (1) confirm you trust apipick.com and review their privacy/terms because phone numbers are personal data; (2) provide a dedicated API key (do not paste broader credentials) and monitor credit/usage since each request costs credits; (3) avoid submitting phone numbers you don’t have consent to share; (4) if the API key is accidentally exposed, revoke/rotate it in apipick’s dashboard. Otherwise the skill’s requirements and instructions are proportionate and coherent.
Review Dimensions
- Purpose & Capability
- okThe skill name/description match the declared requirements and instructions. The only required credential is APIPICK_API_KEY (primaryEnv), which is exactly what the apipick API requires. No unrelated binaries, config paths, or credentials are requested.
- Instruction Scope
- okSKILL.md explicitly directs the agent to POST a phone_number to https://www.apipick.com/api/check-china-phone and use the x-api-key header sourced from $APIPICK_API_KEY (or ask the user for it). The instructions do not reference other files, system paths, or additional environment variables. Note: using the skill sends phone numbers to apipick.com (expected behavior for this task).
- Install Mechanism
- okNo install spec or code is included (instruction-only). Nothing is downloaded or written to disk by the skill package itself, which minimizes installation risk.
- Credentials
- okOnly APIPICK_API_KEY is required, which is proportionate and justified by the skill's purpose. No other SECRET/TOKEN/PASSWORD env vars are requested.
- Persistence & Privilege
- okalways is false (default). The skill does not request permanent/system-wide presence or modify other skills' configs. It can be invoked by the agent (normal behavior) but has no elevated privileges.