Skillv1.0.4

ClawScan security

apihz-cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 2:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its name/description say (a client for apihz.cn APIs), but there is an inconsistency that could expose credentials: the code can fall back to HTTP backup nodes and may send ID/KEY over non‑TLS if the primary is unreachable, contradicting the documentation.
Guidance: This package appears to be a legitimate client for apihz.cn and includes the scripts the README describes, but pay attention before installing: - Credential handling: you must run the init wizard to store your API ID/KEY. They are encrypted on disk and tied to the machine fingerprint (hostname + username + workspace). That makes the file non‑portable — do not copy it to another machine. - Network fallback risk (important): the code will try the HTTPS primary server first but if that fails it will fall back to configured backup IPs (HTTP). Although the documentation says backups are only for non‑sensitive queries, the implementation will also fall back for account verification and the auto‑checkin flow — meaning your ID/KEY could be transmitted over plain HTTP if the primary is down. To reduce risk: - Set APIHZ_BASE_URL to the HTTPS primary and ensure connectivity to it before running automated scripts. - Avoid enabling automatic cron jobs for auto-checkin unless you accept the fallback risk. - Inspect and, if needed, modify the scripts (auth.request / auto-checkin.request) to disable backup fallback for credentialed endpoints (e.g., add allowBackup=false or force primary-only calls). - Review init-wizard.js before running: ensure it does nothing unexpected and that it saves credentials to the workspace path you intend. - If you require stronger guarantees, consider using a low-privilege/test account (as suggested in docs), and prefer manual API calls until you confirm primary HTTPS endpoints are reliable. If you'd like, I can point out the exact lines/functions that implement the fallback behavior and show how to modify them to avoid sending credentials to HTTP backups.

Review Dimensions

Purpose & Capability: okName/description match the included client code and helper scripts. The package contains client, auth, and helper scripts referenced by SKILL.md (init-wizard, call-api, auto-checkin). No unrelated credentials or binaries are requested.
Instruction Scope: concernSKILL.md instructs running local scripts (init-wizard, call-api, auto-checkin) and storing credentials in a workspace .credentials file — that's consistent. However documentation claims backup HTTP nodes are used only for non‑sensitive queries, but the implementation will fall back to backup servers for arbitrary requests (including account verification and auto-checkin). If the primary HTTPS host is unavailable the code will try HTTP backups and may transmit ID/KEY in cleartext. This contradicts the stated security behavior and is a scope/behavior mismatch.
Install Mechanism: okNo external install/download mechanism; this is a code-only skill bundled with scripts. Nothing downloads or executes remote archives during install. Risk from install mechanism is low.
Credentials: concernThe skill does not require unrelated environment variables or platform credentials. It stores user-provided APIHZ_ID/KEY (and optional DMSG) encrypted on-disk bound to a machine fingerprint. That is reasonable, but the fallback-to-backup behavior can cause credentials to be sent to HTTP backup IPs if the HTTPS primary fails — contradicting the stated claim that backups won't receive sensitive data. Machine‑fingerprint based encryption is non-portable and predictable; the doc notes this but the design weakens portability and could be surprising.
Persistence & Privilege: okThe skill writes its own credential file in the workspace (.credentials/apihz.txt) and reads it; this is expected for a client that stores keys. It does not request forced always-on inclusion or modify other skills. No elevated platform privileges are requested.