Skillv1.0.0

ClawScan security

tikhub-api-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 5:00 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (search and call TikHub APIs), but there are inconsistencies and red flags — a hard-coded default API token in the code, SKILL.md recommends an environment variable that the CLI does not read, and the skill's README contains prompt-injection-like patterns — investigate before installing or using.
Guidance: What to consider before installing: - Do not assume the embedded DEFAULT_TOKEN is safe: api_client.py contains a hard-coded token which will be used if you don't supply your own — this can mean actions run under someone else's account or incur charges. Replace or remove the DEFAULT_TOKEN and use your own TIKHUB_TOKEN. - SKILL.md recommends setting TIKHUB_TOKEN, but the CLI does not read that environment variable; confirm the implementation will use your token (or modify the code to read os.environ['TIKHUB_TOKEN']). Ask the author to fix this mismatch. - The README contains prompt-injection-like patterns (base64 and unicode control characters). Open SKILL.md in a plain text editor, search for non-printable characters or encoded blocks, and remove/verify anything suspicious. - Review openapi.json (it's large) to ensure it doesn't contain unexpected endpoints or sensitive-sounding functionality you don't want (e.g., services that bypass captchas or send emails). - If you plan to use the API, create and use your own TikHub API key from your account (do not rely on the shipped DEFAULT_TOKEN). - When in doubt, ask the publisher for provenance (who published this skill) and for a version that does not include hard-coded credentials or hidden characters. - If you cannot validate these points, avoid running the packaged scripts against the network or sanitize the code first (remove DEFAULT_TOKEN, add explicit env-var reading, and remove suspicious characters).
Findings: [base64-block] unexpected: A base64 block detection was found in SKILL.md. A plain API helper README normally wouldn't contain base64 payloads; this can indicate hidden/obfuscated instructions or content. Inspect SKILL.md for hidden characters or encoded payloads before trusting it. [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These are commonly used to hide or manipulate rendered text (prompt-injection/obfuscation). This is unexpected in normal documentation and should be examined.

Review Dimensions

Purpose & Capability: noteName, description, and included code (api_searcher.py, api_client.py, openapi.json) match the stated purpose of helping search and call TikHub APIs. However, the skill metadata lists no required env vars while SKILL.md instructs users to set TIKHUB_TOKEN; the client code embeds a DEFAULT_TOKEN constant (hard-coded credential) and the CLI in main() does not read TIKHUB_TOKEN from the environment. This mismatch is unexplained and worth verifying.
Instruction Scope: concernSKILL.md stays within the API-helper scope for the most part (search, list, call APIs). But the provided SKILL.md contains prompt-injection signals (base64-block and unicode-control-chars) detected by the scanner, which is unexpected for a normal README and could be an attempt to obfuscate instructions or add hidden content. Also SKILL.md tells users to set TIKHUB_TOKEN, yet the CLI implementation does not read that environment variable — a behavioural mismatch that may cause confusing or unsafe use (e.g., the embedded DEFAULT_TOKEN will be used instead).
Install Mechanism: okNo install spec — instruction-only plus shipped code files. Nothing is downloaded or executed during installation by a package manager; the contained Python scripts will simply exist on disk. This is low-risk from an installer standpoint, but files will be present locally.
Credentials: concernMetadata declares no required credentials, but SKILL.md asks users to set TIKHUB_TOKEN and api_client.py contains a DEFAULT_TOKEN string baked into the source. A hard-coded token in distributed code is a red flag: it may be a leaked/privileged credential (causing billing or access through someone else's account) or a backdoor. The skill otherwise does not request unrelated credentials, so the concern is specifically the unexplained embedded token and the mismatch around env var usage.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only; it does not attempt to modify system config or other skills. There is no elevated persistence or privileged system presence requested.