Skillv1.0.17

ClawScan security

字幕菌 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 22, 2026, 2:23 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose and runtime behavior mostly line up (it calls an npm client to extract subtitles) but its instructions ask users to share API keys in-chat and rely on npx to fetch and run the latest remote package, which is disproportionate and risky.
Guidance: This skill appears to do what it claims (call an npm client to extract subtitles) but has several red flags you should consider before installing or using it: - Do not paste your API key into chat. The SKILL.md explicitly invites users to 'send the key to me' so the agent can set the env var — this is unsafe. If you must use the service, set ZMJ_API_KEY as an environment variable locally or in a controlled runtime, not via chat. - Running npx --yes zimujun@latest fetches and executes remote code unpinned from npm. That code could change over time. Prefer that the publisher provide a pinned version, a package checksum, or a link to a public source repo before running it. Consider running in an isolated VM/container. - Ask the maintainer for the package homepage/source and for the reason the registry metadata omits ZMJ_API_KEY. Lack of a homepage and unknown source increases risk. - If you proceed, verify the npm package author and reviews, and run the tool in an environment where it cannot access sensitive files or credentials beyond ZMJ_API_KEY. If you want help formulating questions to the skill author (e.g., request source code, pinned release, or checksum), I can draft them for you.

Review Dimensions

Purpose & Capability: noteName/description (extract subtitles) aligns with requiring node/npx and an API key for a backend service. However, the registry metadata lists no required env var while SKILL.md mandates ZMJ_API_KEY — a metadata/instruction mismatch.
Instruction Scope: concernSKILL.md tells the agent to run 'npx --yes zimujun@latest "<url>"', read ZMJ_API_KEY from the environment, and — problematically — explicitly offers the user the option to '直接密钥发给我，我会帮你设置环境变量' (send the secret to the agent so it can set the env var). That encourages secret disclosure in chat. The instructions also require returning/transmitting fetched content and error messages; they do not request unrelated files, but they permit running arbitrary downloaded code.
Install Mechanism: concernNo install spec in registry, but runtime uses npx to pull and execute the latest package from npm. Using 'npx --yes' + '@latest' runs remote code unpinned and auto-accepts prompts — this is a moderate-to-high risk install pattern because the executed package comes from the network and could change.
Credentials: concernOnly one credential (ZMJ_API_KEY) is required by the SKILL.md, which is proportionate to a service-backed extractor. But the skill's registry metadata omitted this requirement. More importantly, the skill's instructions invite users to paste the API key into chat for the agent to set — that is an unnecessary and unsafe vector for secret disclosure.
Persistence & Privilege: okalways is false, no install script or persistent system modifications are declared, and the skill does not request access to other skills' configs or system-wide credentials. Autonomous invocation is allowed (platform default) but not combined with other privileges here.