Back to skill
Skillv1.0.4
ClawScan security
Duke of Zhou's Dream Interpretation - 周公解梦 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:29 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential align with a simple JisuAPI-backed dream-lookup; nothing disproportionate or covert was found.
- Guidance
- This skill simply queries the JisuAPI dream endpoint and needs your JISU_API_KEY and network access. Before installing: (1) only provide a JISU AppKey you control and are willing to use for this purpose; the API provider will receive every query (dream keywords) and may log/charge them; (2) confirm you trust jisuapi.com and understand their privacy/usage limits; (3) ensure the environment has Python and the 'requests' package (pip install requests) so the script runs; (4) avoid sending any sensitive personal data as part of dream queries. If you see unexpected network calls to other domains or additional env vars in a future version, treat that as suspicious.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the script calls JisuAPI's /dream/search and the skill requires an AppKey (JISU_API_KEY). Requiring python3 is appropriate for a Python script.
- Instruction Scope
- okSKILL.md instructs only how to call the included script and how to set JISU_API_KEY. The instructions do not ask for unrelated files, credentials, or system data, nor do they send data to endpoints other than the documented JisuAPI URL.
- Install Mechanism
- noteNo install spec (instruction-only) which is the lowest-risk pattern. One minor operational omission: the Python script uses the 'requests' library but SKILL.md/metadata do not declare this dependency or provide installation instructions (pip). This is an availability/operational issue, not a security mismatch.
- Credentials
- okOnly JISU_API_KEY is required and is the expected credential for the documented external API. No additional unrelated secrets or config paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system configuration.