Back to skill
Skillv1.0.5
ClawScan security
MBTI Personality Test - MBTI性格测试 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:33 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its MBTI-testing purpose: it requires a JisuAPI AppKey and python3 and calls JisuAPI endpoints to fetch questions and submit answers.
- Guidance
- This skill is internally consistent: it will send users' answers and the JISU API key to api.jisuapi.com to fetch questions and compute results. Before installing, confirm you trust JisuAPI's privacy and data-retention policy because user answers are transmitted to that external service. Also ensure the runtime has python3 and the Python 'requests' package available (the script will fail without it). Keep your JISU_API_KEY secret and only provide a key with appropriate scope/quota; if you need an offline or privacy-preserving MBTI test, do not use this skill.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, and character.py all revolve around the JisuAPI MBTI endpoints. The requested environment variable (JISU_API_KEY) and python3 binary are appropriate and required to call the external API.
- Instruction Scope
- okRuntime instructions and the script only read argv, the JISU_API_KEY env var, and (in interactive mode) standard input; they make HTTPS requests to api.jisuapi.com. There are no instructions to read unrelated files, other env vars, or to send data to unexpected endpoints.
- Install Mechanism
- noteThere is no install spec (instruction-only install). The bundled script depends on the Python requests library but the skill does not declare this dependency; this is an operational omission (may fail at runtime if requests isn't installed) rather than a security issue.
- Credentials
- okOnly one credential is required (JISU_API_KEY) and it is the API key for the documented service. That is proportional and justified by the skill's purpose.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged system presence or modify other skills/config; it only runs the script when invoked.