Back to skill
Skillv1.0.0
ClawScan security
生肖查询 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 6:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it needs a single Jike API key and runs a small Python script that queries api.jikeapi.cn for Chinese-zodiac data, which matches its description.
- Guidance
- This skill appears to do exactly what it claims: call jikeapi.cn for Chinese-zodiac data using an AppKey. Before installing, confirm you trust jikeapi.cn and are comfortable providing an AppKey. Prefer exporting the key in environment variables (JIKE_CHINESE_ZODIAC_QUERY_KEY or JIKE_APPKEY) rather than committing it to files. Note the script will search a local .env in its directory and that the key is sent as a query parameter (potentially visible in logs/proxies), so avoid using highly privileged or long-lived secrets—use a least-privilege key and rotate it if needed. Finally, verify the homepage and owner are what you expect since the skill source is marked 'unknown'.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), declared primary env var (JIKE_CHINESE_ZODIAC_QUERY_KEY) and the included script all align with a simple API-integration skill that queries jikeapi.cn for zodiac data. No unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md instructs extracting parameters from the user, running the included Python script, or calling the documented API endpoint. The script reads CLI args, environment variables, an optional local .env, and performs an HTTPS GET to the Jike API; it does not attempt to read other system files or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only + a small included script). No downloads or archive extraction are requested—lowest-risk installation surface.
- Credentials
- noteThe skill only requires a single API key (JIKE_CHINESE_ZODIAC_QUERY_KEY / JIKE_APPKEY), which is proportionate. Note: the script also respects an optional JIKE_API_BASE_URL env var (used to override the API base) but that env var is not declared in the skill metadata; the script will also read a local .env file in the script directory for the key. Also be aware the AppKey is appended to the request URL as a query parameter, which can expose it in logs or proxy traces.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent or elevated platform privileges. It does not write configuration outside its directory or modify other skills.