Back to skill
Skillv1.0.13
ClawScan security
Gold Price Inquiry - 黄金价格查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill’s code, instructions, and requested credential (JISU_API_KEY) are consistent with a simple gold-price lookup using JisuAPI; nothing in the files suggests unrelated data access or covert behavior.
- Guidance
- This skill appears to do exactly what it claims: call JisuAPI gold endpoints and return results. Before installing: (1) Understand that using it will send queries (and your JISU API key) to api.jisuapi.com — check JisuAPI's privacy/usage limits and costs. (2) Ensure the agent environment has python3 and the Python 'requests' package installed (the skill doesn't auto-install it). (3) If you care about limiting outbound network access, note that the script makes HTTPS requests to api.jisuapi.com. (4) Review/rotate your JISU API key if you stop using the skill. Overall there are no signs of unrelated data access or exfiltration.
Review Dimensions
- Purpose & Capability
- okName/description ask for multi-source gold prices and the skill requires a JISU_API_KEY and python3 — this matches the documented use of the JisuAPI gold endpoints. No unrelated credentials, binaries, or paths are requested.
- Instruction Scope
- okSKILL.md instructs running the included Python script with the JISU_API_KEY and specific commands (shgold, shfutures, etc.). The script only reads command-line args and the JISU_API_KEY env var, calls JisuAPI endpoints, and prints JSON; it does not access other files, system credentials, or external endpoints beyond api.jisuapi.com.
- Install Mechanism
- noteThere is no install spec (instruction-only) which minimizes install risk. Note: the bundled script imports the third-party Python package 'requests' but the skill metadata does not declare or install that dependency — this is an operational mismatch (not a direct security risk) that could cause runtime failures if 'requests' is missing.
- Credentials
- okOnly one environment variable is required (JISU_API_KEY) and it is the primary credential needed to call JisuAPI. No other secrets or unrelated env vars are requested or referenced by the code.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system-wide persistence or modify other skills. Autonomous invocation is allowed by default (platform standard) but the skill does not escalate privilege or claim persistent presence.