Skillv1.0.2

ClawScan security

Driver's License Exam - 驾考题库 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 3, 2026, 9:50 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requested environment variable align with a driver exam question API integration; nothing indicates covert or unrelated access, though there are small packaging/metadata omissions to be aware of.
Guidance: This skill appears to do what it says: call JisuAPI's driverexam endpoint and return questions. Before installing: 1) Confirm you trust jisuapi.com and understand their privacy/usage terms (the JISU_API_KEY you supply will be sent to that API). 2) Ensure the runtime has Python 3 and the 'requests' package (pip install requests) since the script imports it but the skill metadata doesn't declare it. 3) Keep only the JISU_API_KEY in the skill's environment — avoid placing other unrelated secrets in the same environment variable names. 4) Because the source/homepage is not provided, you may want to review the small Python file yourself (it is short and straightforward) or run it in a sandboxed environment. 5) Be aware the skill prints API results (including question text and any image URLs) to stdout — the agent/UI will receive that output.

Review Dimensions

Purpose & Capability: noteThe skill name/description match its behavior: it queries the JisuAPI driverexam endpoint and requires a JISU_API_KEY. One mismatch: the Python script imports the third‑party 'requests' library but neither SKILL.md nor the registry metadata declare that dependency or provide an install step for it.
Instruction Scope: okSKILL.md instructs the agent to set JISU_API_KEY and run the bundled Python script with a JSON argument; the script only sends that payload and the API key to https://api.jisuapi.com/driverexam/query and prints the API 'result'. The instructions do not request extra files, unrelated environment variables, or external endpoints beyond the documented provider.
Install Mechanism: noteThere is no install spec (instruction-only plus a code file). This is low risk because no external archives are downloaded or executed, but the absence of an install step means the runtime must already have Python and the 'requests' package — SKILL.md lists only python3 as a required binary, not the requests package.
Credentials: okOnly JISU_API_KEY is required and used as the API key for the documented service. No other credentials, secret-named env vars, or config paths are requested or read by the script.
Persistence & Privilege: okThe skill is not forced-always, it is user-invocable, and it does not attempt to modify other skills or system-wide config. disable-model-invocation is false (normal); there is no evidence of elevated persistence or privilege requests.