SkillForge API 服务发现
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for discovering and invoking paid external AI services, but users should be careful because it uses an API key, can send inputs to external providers, and can spend account balance.
Install only if you intend to use SkillForge paid services. Configure the API URL and key carefully, set a spending limit, require confirmation before paid calls, and treat marketplace descriptions and third-party service outputs as untrusted external content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised marketplace listing could include persuasive text that tries to influence the agent or user.
Service names/descriptions/developer text returned by the external marketplace are inserted into the agent-facing output. This is purpose-aligned, but that retrieved text should be treated as untrusted data rather than instructions.
lines.push(` ${service.description}`); lines.push(` 开发者: ${service.developer || '匿名'}\n`);Treat service listings as informational only; confirm the selected provider and ignore any instructions embedded in service descriptions.
If invoked unintentionally, the skill could cause paid API calls or send user-provided input to an external service.
The skill explicitly supports invoking paid external services. This is its stated purpose and is disclosed, but it is a high-impact action because it can spend account balance.
3. **调用服务** - 用户确认后调用服务并返回结果 ... 所有服务调用都会从账户余额扣除费用
Require explicit confirmation before any paid invocation, keep a low max-cost setting, and review the selected service and price before proceeding.
The API key may allow billed calls against the user's SkillForge account if mishandled or over-permitted.
The skill authenticates to SkillForge using a bearer API key, which is expected for service access and billing.
'Authorization': `Bearer ${config.api_key}`Use a dedicated/revocable API key with spending limits if available, store it securely, and prefer HTTPS SkillForge endpoints.
Prompts, files, or other inputs supplied for service invocation may be processed by external services rather than only locally.
The skill is designed to communicate with SkillForge and developer-provided services. This is disclosed and purpose-aligned, but it means user inputs may cross a third-party provider boundary.
permissions:\n - name: network\n reason: 需要访问 SkillForge API 和开发者服务
Do not send sensitive or regulated data unless you trust the selected service and understand its retention/privacy terms.