Tencent Yuanbao Gaokao - Score-to-Rank Lookup
PassAudited by ClawScan on May 14, 2026.
Overview
This skill appears purpose-aligned: it runs an included Python helper to query GaoKao ranking data from a Tencent endpoint, without credentials, persistence, or broad local access.
This skill looks safe for its stated GaoKao score/rank lookup purpose. Before installing, be aware that it executes a local Python script and queries Tencent's GaoKao data endpoint with province/year/subject information; avoid adding unnecessary personal details beyond what is needed for the lookup.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the agent may execute the bundled Python script on the user's machine.
The skill directs the agent to run an included Python helper. This is central to the lookup workflow and the provided source is readable and purpose-aligned, but users should still know local code execution is part of the skill.
python3 ./fetch_data.py --place {place...} --year {year...} --classify {classify...} --score {score...} --rank {rank...}Run it without elevated privileges and keep the helper source available for review; the publisher should declare python3 as a runtime requirement.
Tencent's endpoint may receive the province/year/subject context of the lookup, though the artifacts do not show credential use or broad personal-data upload.
The helper contacts an external Tencent endpoint and sends the selected year, province, and subject category as URL parameters. This is consistent with the skill's data-retrieval purpose; score and rank filtering is performed locally by the script.
BASE_URL = "https://gaokao.search.qq.com/skills_data" ... url_prefix += f"&year={year}" ... url_prefix += f"&place={urllib.parse.quote(place)}" ... url_prefix += f"&classify={urllib.parse.quote(classify)}" ... urllib.request.urlopen(req, timeout=10)Use the skill only if you are comfortable sending that query context to the Tencent GaoKao data service.
The skill may fail on systems without python3 even though the registry metadata does not warn about that requirement.
The registry metadata does not declare required binaries, while SKILL.md invokes python3. This is a metadata completeness issue rather than suspicious behavior because the helper code is included and uses only Python standard-library modules.
Required binaries (all must exist): none ... No install spec — this is an instruction-only skill.
The publisher should declare python3 as a required binary; users should verify python3 is available before use.