Skillv1.0.3

ClawScan security

Base Station / Cell Query - 基站查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 3, 2026, 9:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it calls the JisuAPI cell/query endpoint, only requires a JISU_API_KEY and python3, and its code and instructions match the stated purpose (minor note: the script depends on the Python 'requests' package but the SKILL.md does not declare installation of that dependency).
Guidance: This skill appears to do exactly what it says: submit provided cell identifiers (mnc/lac/cellid and optional sid/nid) to JisuAPI and return the API's result. Before installing, ensure you trust the JisuAPI service and understand that sending cell IDs and related identifiers to a third party may have privacy implications. Also make sure the runtime has Python 3 and the 'requests' package installed (pip install requests) so the script runs correctly. Verify your JISU_API_KEY has the required API permissions and quota; if you want to restrict exposure, only provide the key in environments where you trust the runtime and who can invoke the skill.

Purpose & Capability: okName/description claim to convert mobile network cell parameters to an approximate location using JisuAPI. The code calls https://api.jisuapi.com/cell/query and only requests parameters (mnc, lac, cellid, optional sid/nid) and an AppKey — this aligns with the stated purpose.
Instruction Scope: okSKILL.md and the script limit behavior to building a JSON request and calling the JisuAPI endpoint. The instructions only reference the JISU_API_KEY env var and the script path; they do not attempt to read unrelated files, credentials, or system configuration.
Install Mechanism: noteThere is no install spec (instruction-only), which is low risk. However, the provided Python script imports the third‑party 'requests' library but neither SKILL.md nor metadata documents installing this dependency; users must ensure 'requests' is available in the runtime environment.
Credentials: okOnly a single credential (JISU_API_KEY) is required and serves the described purpose (authenticating to the JisuAPI service). No unrelated secrets, config paths, or excess environment variables are requested.
Persistence & Privilege: okThe skill is user-invocable, not always-on, and does not request permanent system presence or modify other skills/config. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.