Skillv1.0.0

ClawScan security

老黄历查询 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 3:29 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested credential align with its stated purpose (querying a lunar/huangli API) and do not request unrelated secrets or perform unexpected actions.
Guidance: This skill appears to do exactly what it claims: query the jikeapi.cn lunar/calendar endpoint and format results. Before installing, consider: (1) You must provide an AppKey (JIKE_CALENDAR_LUNAR_QUERY_KEY or JIKE_APPKEY); treat that as a secret and avoid placing it in shared locations. (2) The script will read a .env file in its own directory if present — ensure no other sensitive secrets are stored there. (3) Confirm the AppKey's permissions and rate limits on https://www.jikeapi.cn/ and avoid exposing the key in logs or public repos. (4) The minor metadata mismatch (metadata lists only JIKE_CALENDAR_LUNAR_QUERY_KEY while docs show JIKE_APPKEY as an alternative) is benign but you may want to standardize which env var you set. If you need higher assurance, review the included Python script locally before running and validate network calls go to the expected api.jikeapi.cn endpoint.

Review Dimensions

Purpose & Capability: okName/description (老黄历查询) match the functionality implemented: the script validates date/time, reads an AppKey, and calls the jikeapi.cn /v1/calendar/lunar/detail endpoint. Required binary (python3) and the single API key are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md instructs extracting a date/time and running the included script which calls the documented API — this is within scope. Minor inconsistencies: SKILL.md demonstrates both JIKE_CALENDAR_LUNAR_QUERY_KEY and a '通用 Key' named JIKE_APPKEY, while registry metadata declares only JIKE_CALENDAR_LUNAR_QUERY_KEY; the script accepts both names and also attempts to read a local .env file in the script directory (useful for local config but worth noting). The script does not access other system files or network hosts besides the API base.
Install Mechanism: okNo install spec (instruction-only with an included script). No downloads or archive extraction. The script is executed directly with python3 — low install risk.
Credentials: okOnly an API AppKey is required (JIKE_CALENDAR_LUNAR_QUERY_KEY, with optional support for JIKE_APPKEY). This is expected and proportionate. The script will also read a .env file in its directory if present — that may contain secrets, but the script only checks for the AppKey names listed.
Persistence & Privilege: okThe skill does not request 'always: true' or other elevated persistence. It does not modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default and not combined with other concerning privileges.