Skillv1.0.0

ClawScan security

彩票查询 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 5:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested credential (a single AppKey) are consistent with a lottery-query integration to jikeapi.cn; nothing in the package suggests unrelated access or covert exfiltration.
Guidance: This package appears to do only what it claims: query jikeapi.cn for lottery data. Before installing, (1) avoid exposing your real AppKey in public repositories and prefer setting it as an environment variable; (2) inspect or run the included script locally to confirm behavior; (3) be cautious about any environment variable you set named JIKE_API_BASE_URL — changing it will make the script send requests to a different host; and (4) only provide the AppKey to agents or environments you trust. If you need stronger guarantees, run the script in an isolated environment and review outbound network traffic to confirm requests go to the expected api.jikeapi.cn endpoints.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the script calls jikeapi.cn endpoints to return latest results, details, number history and stats. Required binary (python3) and the single AppKey credential are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md and the script limit actions to building requests to the declared API and formatting results. The script will read a local scripts/.env file and environment variables for the AppKey (expected). It also honors JIKE_API_BASE_URL (an override for the API base) which is not declared in the skill metadata and could redirect requests if set by the environment — functionality useful for testing but worth noting as it changes the network target.
Install Mechanism: okInstruction-only skill with a single Python script; there is no install spec or downloaded third-party artifacts. Nothing is written to disk by an installer step beyond normal script execution (it may read a local .env file if present).
Credentials: noteThe declared primary credential JIKE_CAIPIAO_LOTTERY_QUERY_KEY is appropriate. The script also accepts JIKE_APPKEY as an alternate environment name (reasonable). It additionally reads JIKE_API_BASE_URL to override the API host (this env var is not listed in the skill's declared envs and can change where requests are sent), which is a minor mismatch to be aware of.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system settings, and has no persistent installation behavior beyond running the included Python script with environment-provided credentials.