Skillv1.0.0

ClawScan security

佛历查询 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 5:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with its stated purpose: it needs a Jike API key, runs a small Python script that queries the jikeapi.cn calendar endpoint, and does not request unrelated credentials or perform unexpected I/O.
Guidance: This skill appears to do what it claims: it needs a Jike AppKey and python3 and will call the jikeapi.cn calendar endpoint to return Buddhist-calendar info. Before installing: (1) only provide an AppKey that you trust and avoid placing other secrets in the skill directory .env (the script will read .env in the script folder and only looks for the AppKey names); (2) be aware you can override the API host with JIKE_API_BASE_URL — do not set that to an untrusted domain if you care about confidentiality; (3) verify the AppKey was obtained from the official jikeapi.cn site if you plan to use a production key; (4) no additional binaries or remote installers are used, and the code is small and readable, but you should still review the source if you plan to run it in a sensitive environment.

Purpose & Capability: okName/description (query Buddhist calendar info) matches the implementation: the script issues an HTTP GET to https://api.jikeapi.cn/v1/calendar/foto/detail and requires a Jike AppKey. Requiring python3 and an AppKey is proportionate.
Instruction Scope: noteSKILL.md instructs the agent to extract a date and run the included script; the script only reads CLI args, environment variables, and a .env file located in the script directory. It does not scan arbitrary system files or transmit data to unexpected endpoints. Note: the SKILL.md and script accept JIKE_APPKEY as an alternative env var and the script will read a local .env (script directory) if present.
Install Mechanism: okNo install spec — instruction-only plus a small Python script. No external package downloads or archive extraction; only requires an existing python3 runtime.
Credentials: noteDeclared primary credential is JIKE_CALENDAR_FOTO_QUERY_KEY (with JIKE_APPKEY supported), which matches the API usage. The script also respects JIKE_API_BASE_URL if present (not declared in metadata) which can redirect requests to a different host — this is likely for testing but is worth noting because an altered environment variable could point traffic elsewhere.
Persistence & Privilege: okalways is false and the skill does not request persistent or system-wide privileges. It does not modify other skills or global config and runs only when invoked.