Skillv1.0.0

ClawScan security

专业彩票助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 8:25 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (lottery queries and OCR) matches its instructions, but it relies on an external amcjt-mcp-server (accessed via mcporter) of unknown provenance and contains small inconsistencies (an unexpected MOONSHOT_API_KEY reference), so proceed with caution.
Guidance: This skill will send uploaded lottery images and ticket data to an external 'amcjt-mcp-server' via the mcporter CLI. There is no source or homepage provided for the MCP server, and the SKILL.md mentions an unrelated environment variable (MOONSHOT_API_KEY) that is not declared. Before installing or using the skill: 1) verify who operates the amcjt-mcp-server and where it is hosted; do not configure mcporter to point at an unknown or untrusted URL; 2) avoid uploading sensitive files or credentials to the service; 3) ask the author for the server's privacy/security details or the skill's source code; 4) do not supply API keys or secrets unless you understand why they are needed and trust the endpoint. These issues make the skill suspicious but not definitively malicious.

Review Dimensions

Purpose & Capability: noteThe name/description (lottery results, OCR, check wins) align with the runtime instructions: all operations are performed by calling amcjt-mcp-server via the mcporter tool. Declared bins (mcporter/node) and allowed tools match that design. However, the skill depends on a third-party MCP server (amcjt-mcp-server) whose source, hosting, and trust boundaries are not provided (Homepage/source unknown), which is a meaningful dependency for a skill processing user images and ticket data.
Instruction Scope: concernInstructions explicitly read image file paths from the agent workspace and pass those full paths to the remote MCP server via mcporter CLI (i.e., image content or path is transmitted to an external service). The SKILL.md also mentions using environment variables in examples and troubleshooting (e.g., MOONSHOT_API_KEY) that are not declared elsewhere. The guidance to configure mcporter with an amcjt-mcp-server URL means user data (images, numbers) will be sent to whatever server is configured—this raises privacy and trust concerns.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal local footprint. It references the public mcporter package and docs but does not download arbitrary archives or execute unknown installers itself.
Credentials: concernThe skill declares no required environment variables, yet the troubleshooting section references MOONSHOT_API_KEY and shows how to pass env vars to mcporter. There is no clear explanation of what credentials (if any) the amcjt-mcp-server requires, and mcporter configuration may store server URLs or keys. Requesting or suggesting use of undefined API keys is inconsistent and could lead users to supply secrets without clear justification.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges or modify other skills. It is user-invocable and allows autonomous invocation (platform default), which is expected and not flagged by itself.