Skillv1.0.0

ClawScan security

Tra Cuu Phat Nguoi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 27, 2026, 8:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with its stated purpose (querying an intermediary VNeTraffic endpoint for vehicle fines); it requests no credentials and has no install steps, but it will transmit the plate (and any provided phone) to a third-party site (vnetraffic.org).
Guidance: This skill appears coherent and implements what it claims: it POSTs a normalized license plate (and an optional phone number) to vnetraffic.org and returns the JSON. Before using: (1) be aware that the plate and any phone number you provide will be sent to a third-party (vnetraffic.org), not a government portal; avoid supplying personal phone numbers if you prefer. (2) The SKILL.md already advises cross-checking results on official sites (CSGT / Đăng Kiểm) — follow that for confirmations. (3) If you run the script yourself, review the network request and consider running locally to ensure no additional data is transmitted. If you need higher assurance, request a source that queries only official government endpoints.

Purpose & Capability: okName/description match the included script and SKILL.md. The script posts a normalized license plate (and optional phone) to vnetraffic.org to retrieve violations — this is coherent with a 'traffic fines lookup' skill.
Instruction Scope: noteInstructions only call the local Node script which performs a POST to https://vnetraffic.org/wp-json/custom/v1/tra-cuu-csgt. This is expected for the stated purpose, but it does transmit user-supplied data (plate and optional phone) to a non-government intermediary; SKILL.md does explicitly recommend cross-checking with official portals.
Install Mechanism: okNo install spec (instruction-only plus a small included script). Nothing is downloaded or written to disk by an installer; risk from installation is minimal.
Credentials: okThe skill requires no environment variables, credentials, or config paths. There are no unrelated or excessive secret requests. Note: the runtime will send user-supplied data (plate and phone) to an external service — this is a privacy/consent consideration, not a credential request.
Persistence & Privilege: okalways is false and the skill does not request any persistent privileges or attempt to modify other skills or system settings.