谋道
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
Install only if you are comfortable running the Node.js script with your own LLM API key. Do not include secrets or sensitive personal/business details in prompts unless you trust the configured provider, and verify important recommendations because the research output may use estimated data. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your LLM provider account and billing quota may be used when running this skill.
The skill requires a provider API key even though the registry metadata lists no primary credential or required environment variables. This is purpose-aligned for an LLM planning tool, but users should understand the credential use.
DeepSeek API Key(或其他兼容OpenAI格式的API)
Use a scoped, revocable API key, monitor provider usage, and only set the key in environments where you intend to run this tool.
Planning goals, profile details, constraints, and diagnosis context may be transmitted to the configured LLM provider.
The script sends the user’s request and context to an external chat-completions API. This is expected for the stated LLM functionality, but it is a data boundary users should be aware of.
messages: [ { role: 'system', content: systemPrompt }, { role: 'user', content: userMessage } ]Avoid entering secrets or highly sensitive personal/business information unless you are comfortable sharing it with the configured provider.
Business, career, health, or finance plans may include plausible but unverified estimates.
The internal prompt allows persuasive estimated data while the skill presents a “前期调研” research mode. This is not malicious, but users should not treat outputs as verified market research.
数据和案例要有说服力,可以用估算数据
Treat generated plans as a starting point and verify important market, legal, financial, or health claims with reliable sources or professionals.
The skill may require Node.js and manual API-key setup despite metadata suggesting no requirements.
The registry/install metadata under-describes the included runnable Node.js script. The script and package are visible and no suspicious dependencies are shown, so this is an operational metadata note rather than a security concern.
No install spec — this is an instruction-only skill; Code file presence: scripts/moudao.js
Review README.md and package.json before use, and ensure Node.js and the intended API key are configured deliberately.