Back to skill
Skillv1.0.0
ClawScan security
节假日查询 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 5:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable match its stated purpose (querying holiday data from jikeapi.cn) and request only the expected minimal access.
- Guidance
- This skill appears coherent and limited to querying jikeapi.cn for holiday information. Before installing: (1) Only provide an AppKey for jikeapi.cn (keep it secret); (2) be aware the script will read a local .env in the script directory if present — avoid storing unrelated secrets there; (3) verify you trust https://www.jikeapi.cn/ and that the AppKey has minimal scope; (4) you can inspect the included Python script (it is short and readable) and use the --json option for machine-parsable output.
Review Dimensions
- Purpose & Capability
- okName/description align with the implementation: the script queries /v1/calendar/holiday/{day,month,year} on api.jikeapi.cn. Declared requirements (python3 and an AppKey) are appropriate for this functionality.
- Instruction Scope
- okSKILL.md and the script limit runtime behavior to building HTTP GET requests to the jikeapi.cn endpoints, formatting results, and optionally reading an AppKey from CLI, environment vars, or a local .env file. The skill does not read unrelated system files or phone home to unexpected domains.
- Install Mechanism
- okNo install spec is provided (instruction-only with an included script). It requires only python3 on PATH; nothing is downloaded or written to arbitrary system locations by an installer.
- Credentials
- okOnly a single service credential is required (JIKE_CALENDAR_HOLIDAY_QUERY_KEY, with optional JIKE_APPKEY fallback), which matches the declared primaryEnv. The script will also look for a .env in its directory but only extracts the same AppKey names.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent system privileges; it does not modify other skills or global agent configuration.