AI Capability Analyzer
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does not appear destructive, but it overstates its real-time search and safety-review abilities, which could mislead users into trusting or installing recommended skills.
Use this skill cautiously as a recommendation helper, not as a security authority. Before installing any skill it recommends, independently review that skill's permissions, source, code, and reputation, and avoid providing API keys unless you understand how they will be used.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may rely on the tool's safety rating and install another skill that has not actually been meaningfully reviewed.
The code presents recommended skills as highly safe and says they meet a safety rule, but the visible implementation bases this mainly on hardcoded entries and download counts rather than real permission, malware, or behavior analysis.
return `🎯 推荐技能: ${topSkill.name} ...\n✅ 安全评级: 高 (满足100/3规则)...`; ... const safetyRating = meets100Rule ? "高" : "需要谨慎评估";Treat the safety ratings as rough popularity hints, not a security review. The skill should clearly label its limits and implement real, evidence-backed checks before claiming a skill is safe.
Recommendations may be stale or incomplete even though the user is led to believe they are based on live ClawHub data.
The code comments and implementation show mock ClawHub results, while the skill description advertises real-time search across the ClawHub ecosystem.
// 这里会实际调用 ClawHub API // 由于环境限制,我们模拟返回结果 const mockResults = [
The skill should either implement the live API search as advertised or clearly disclose that it uses a small built-in/mock database.
Providing API keys could allow the skill to use paid or account-linked services if the implementation later sends requests.
The skill asks for external-service API credentials. This is plausible for the stated purpose, but the artifacts are inconsistent about whether the ClawHub key is optional or required.
`OPENAI_API_KEY`: 用于需求理解和内容生成 `CLAWHUB_API_KEY`: 用于访问ClawHub技能数据库(可选)
Only provide scoped API keys when you need the cloud/API features, and verify what data is sent before using it with sensitive requests.
Users have less ability to verify the maintainer, source history, or whether this package matches a trusted repository.
The package provenance is weak: the source is unknown and the homepage appears to be a placeholder rather than a verifiable project URL.
Source: unknown Homepage: https://github.com/your-username/ai-capability-analyzer
Prefer installing only after confirming the package source, maintainer identity, and repository provenance.