Back to skill
Skillv1.0.0
ClawScan security
中文对联查询 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 6:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable align with its stated purpose of querying a public Chinese 'couplet' API and do not request unrelated secrets or perform unexpected actions.
- Guidance
- This skill appears to do what it says: call jikeapi.cn endpoints to return couplets. Before installing: (1) confirm you trust the jikeapi.cn service and the AppKey you provide; use a limited-scope key if possible; (2) avoid placing secrets in shared/global environments — the script will also read a local .env in its folder, so check that file if present; (3) note the script allows overriding the API host via JIKE_API_BASE_URL (mostly for testing) — ensure it points to the expected domain; (4) if you need stronger assurance, review the included scripts/couplet_query.py file yourself and verify network requests go only to the expected API endpoints.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md usage, _meta.json, and the included Python script all consistently implement keyword and random queries against jikeapi.cn's couplet endpoints. Required binary (python3) and the single AppKey env var are appropriate for this purpose.
- Instruction Scope
- noteRuntime instructions only tell the agent to set an AppKey env var (JIKE_COUPLET_QUERY_KEY or JIKE_APPKEY) and run the included script with `query` or `random`. The script also supports reading a local `.env` file and an optional JIKE_API_BASE_URL override (used to change the API host), which is reasonable but not declared in the SKILL.md metadata — this is a minor inconsistency to be aware of.
- Install Mechanism
- okNo install spec; the skill is instruction-only with an included Python script. No external downloads or archive extraction occur during install, minimizing risk.
- Credentials
- okOnly an API AppKey is requested (JIKE_COUPLET_QUERY_KEY, with optional JIKE_APPKEY). The script reads the key from CLI args, env vars, or a local `.env` file in its own directory. No unrelated or high-privilege credentials are required.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated platform privileges, nor does it modify other skills or system-wide settings.