Skillv1.0.4

ClawScan security

Almanac / Huangli Inquiry - 黄历查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 3, 2026, 9:47 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested environment variable align with its stated purpose (querying JisuAPI's黄历); no suspicious behavior or unrelated credential access was found.
Guidance: This skill is internally consistent: it needs a JisuAPI AppKey and runs a Python script that queries JisuAPI's huangli/date endpoint. Before installing, ensure you: (1) only provide a JISU_API_KEY you trust (API keys can incur usage/billing limits and should be treated as secrets), (2) have Python3 and the 'requests' package installed on the host (the skill doesn't declare Python package dependencies), and (3) are comfortable with the skill making outbound HTTPS requests to api.jisuapi.com. If you prefer tighter control, create a limited API key on JisuAPI, monitor usage, or run the script in an isolated environment.

Purpose & Capability: okName/description ask for calendar/huangli queries and the code only calls JisuAPI's huangli/date endpoint using an AppKey; requiring JISU_API_KEY and python3 is appropriate.
Instruction Scope: okSKILL.md instructs how to set the AppKey and run the Python script with a JSON date payload; the instructions only access the declared env var and call the documented external API.
Install Mechanism: noteThis is an instruction-only skill with a Python script but no install spec. The script imports the 'requests' library which is not declared as a dependency — hosts must ensure Python and the requests package are available.
Credentials: okOnly JISU_API_KEY is required and it's the primary credential used to authenticate to the JisuAPI service; no unrelated secrets or config paths are requested.
Persistence & Privilege: okSkill does not request always:true, does not alter other skills or system config, and has normal (non-persistent) presence.