Skillv1.0.0

ClawScan security

道历查询 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 5:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested credential align with its stated purpose (querying Dao-calendar data from jikeapi.cn); nothing requests unrelated secrets or performs unexpected actions.
Guidance: This skill appears coherent and limited to its stated purpose. Before installing, verify you trust the jikeapi.cn service and only provide the AppKey intended for this API. Note the script will look for the key in --key, the environment (JIKE_CALENDAR_TAO_QUERY_KEY or JIKE_APPKEY), or a .env file in the scripts directory — if you store keys, prefer environment variables to avoid leaving secrets in files. Also be aware of the optional JIKE_API_BASE_URL env var: if set it will redirect API calls to that host, so do not set it to an untrusted endpoint. If you need extra assurance, inspect the included scripts (they are small and readable) and run them in a controlled environment before granting access to any sensitive credentials.

Review Dimensions

Purpose & Capability: okName/description, required binary (python3), the single required env var (JIKE_CALENDAR_TAO_QUERY_KEY) and the included script all match the stated purpose of querying jikeapi.cn for calendar/Dao-related data. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: noteSKILL.md instructs the agent to extract a Gregorian date and run the included script or call the documented API — this is in-scope. The script reads the app key from --key, the declared env vars, or a .env file in the script directory; it performs only a single GET to the API and formats output. Minor note: the script honors an override JIKE_API_BASE_URL (not declared in requires.env), which can redirect network calls if set; the script does not read arbitrary system files or other env vars beyond the key names.
Install Mechanism: okNo install step is provided (instruction-only with an included script). Nothing is downloaded or written by an installer spec, which minimizes risk.
Credentials: noteThe declared primary credential (JIKE_CALENDAR_TAO_QUERY_KEY) is appropriate for this API. The script also accepts JIKE_APPKEY as an alternate name (documented) and reads a .env in the script directory for the same key names. It also respects JIKE_API_BASE_URL to override the API host (this env var is not declared in metadata). No unrelated SECRET/TOKEN variables are requested.
Persistence & Privilege: okThe skill does not request permanent presence, does not modify other skills or system settings, and does not require elevated privileges. It runs as a simple CLI script when invoked.