Back to skill
Skillv1.0.1
ClawScan security
成语词典 - 即刻数据 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 7:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested secret are consistent with a simple idiom-dictionary client for the jikeapi.cn service.
- Guidance
- This skill appears to do exactly what it says: query jikeapi.cn idiom endpoints and format results. Before installing: provide only the AppKey from the jikeapi.cn service (JIKE_IDIOM_QUERY_KEY or JIKE_APPKEY), verify the AppKey comes from a trusted account, and avoid placing other secrets in the script directory .env (the script will read .env in its folder). If you want to change the API host, note you can set JIKE_API_BASE_URL (not declared as required). If you need stronger assurance, review the full script (included) and confirm the provider's privacy/usage terms for the AppKey.
Review Dimensions
- Purpose & Capability
- okName/description (成语词典) match the code and instructions: the script calls jikeapi.cn idiom endpoints (search, detail, random, last_word) and only needs an AppKey and python3.
- Instruction Scope
- noteRuntime instructions tell the agent to run the included Python script and set an AppKey. The script also looks for an optional .env file in its own directory and supports an alternate env name (JIKE_APPKEY). Reading a .env next to the script is expected for convenience but is worth noting.
- Install Mechanism
- okNo install spec; the skill is instruction/script-only and requires only python3 on PATH. Nothing is downloaded or written to system locations by an installer.
- Credentials
- noteDeclared primary env is JIKE_IDIOM_QUERY_KEY which is appropriate. The code also accepts JIKE_APPKEY (alternative) and optionally JIKE_API_BASE_URL to override the API host; those alternate env names are mentioned in SKILL.md but JIKE_API_BASE_URL is not listed as a required/optional env in metadata — this is minor but worth documenting so users know the override exists. The script only seeks the AppKey and does not request unrelated credentials.
- Persistence & Privilege
- okalways:false and no config paths tied to other skills. The script reads a .env in its own directory only; it does not modify system-wide agent settings or other skills.