Skillv1.0.1

ClawScan security

Amber Electric 的实时电价、预测电价及站点信息 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 17, 2026, 8:03 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's runtime code clearly expects an AMBER_API_KEY and makes network calls to Amber's API (consistent with its description), but the published metadata omits the required credential and contains minor metadata inconsistencies — this mismatch is unexplained and warrants caution.
Guidance: This skill appears to implement exactly the Amber Electric API calls described, but the published metadata fails to declare the AMBER_API_KEY it needs and has a small version/metadata mismatch. Before installing, request that the publisher update the manifest to explicitly declare AMBER_API_KEY (and set primaryEnv if appropriate), provide a homepage or source for verification, and explain the version discrepancy. Only supply an Amber API token you control — prefer a limited-scope token if Amber supports it — and avoid reusing high-privilege credentials. If you can't verify the publisher/source, treat the skill as untrusted.

Purpose & Capability: concernThe SKILL.md handler calls Amber Electric endpoints and requires an AMBER_API_KEY, which is coherent with the skill name and description. However, the registry metadata lists no required env vars or primary credential, and _meta.json and registry metadata show inconsistent version/publish data. The missing declaration of AMBER_API_KEY in the manifest is an incoherence.
Instruction Scope: okThe runtime instructions are narrowly scoped to three actions (get_sites, get_current_price, get_forecast) and only reference Amber API endpoints and the AMBER_API_KEY environment variable. The code does not reference unrelated files, other env vars, or external endpoints besides api.amber.com.au.
Install Mechanism: okThere is no install specification and no code files beyond SKILL.md and _meta.json. As an instruction-only skill, it does not write artifacts to disk or download external installers.
Credentials: concernThe handler requires an AMBER_API_KEY (process.env.AMBER_API_KEY) to function, but the skill's declared requirements list no environment variables and no primary credential. That omission is disproportionate/unexplained. Requesting a single Amber API key for this purpose would be reasonable, but the manifest should declare it explicitly.
Persistence & Privilege: okalways is false and the skill does not request system-wide configuration or modify other skills. It has normal, limited runtime privileges.