Back to skill
Skillv1.0.4
ClawScan security
Car Models Inquiry - 车型大全查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested credential (JISU_API_KEY) are consistent with a car-model lookup integration using the JisuAPI service.
- Guidance
- This skill appears to do what it claims: call JisuAPI car endpoints and return results. Before installing, ensure you: (1) trust JisuAPI and are comfortable sending queries (search keywords may include user-supplied data) to their service; (2) have a valid JISU_API_KEY and are aware of quota/costs; (3) have Python3 and the 'requests' package available (SKILL.md doesn't provide an installer); and (4) run the skill only when you intend to query the external API (it does perform outbound network requests).
Review Dimensions
- Purpose & Capability
- okName/description ask for car brand/series/model/search/rank/hot lists and the code and SKILL.md call only the JisuAPI car endpoints (api.jisuapi.com/car). The requested JISU_API_KEY is the expected credential for that API.
- Instruction Scope
- okSKILL.md instructs setting JISU_API_KEY and running the included Python script with JSON arguments; the script only performs outbound HTTPS requests to the documented JisuAPI endpoints and prints the API 'result'. It does not read unrelated files, other env vars, or send data to unexpected endpoints.
- Install Mechanism
- noteThere is no install spec (instruction-only behavior) which minimizes write-to-disk risk. Minor mismatch: the Python script imports the third-party 'requests' package but SKILL.md/metadata do not declare or provide an install step for that dependency — users must ensure 'requests' is available in the environment.
- Credentials
- okOnly a single API key (JISU_API_KEY) is required and it directly matches the external service the skill uses. No other secrets, config paths, or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not always-enabled; it is user-invocable and does not request elevated/persistent platform privileges or modify other skills' configs. Autonomous invocation is allowed by default but is not combined with other concerning indicators.