Back to skill
Skillv1.0.2
ClawScan security
招中标信息&招标雷达-剑鱼 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 11, 2026, 3:35 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a bidding-data search/analysis assistant and it only requires a single API key, but the provider/source is not published so exercise normal caution about sending sensitive data to the third party.
- Guidance
- This skill appears internally consistent: it simply sends queries to the zhiliaobiaoxun API using a single API key. Before installing or enabling it: (1) Verify you trust the external provider (mcp-server.zhiliaobiaoxun.com / ai.zhiliaobiaoxun.com) because user queries will be transmitted off-host. (2) Store a dedicated API key with least privilege and do not paste keys into chats. (3) Avoid sending sensitive or confidential data (PII, trade secrets, contract terms) through the skill unless you have reviewed the provider's privacy/security policy. (4) Note the SKILL will be triggered automatically for bidding-related keywords — consider requiring user confirmation for sensitive queries. (5) Monitor API usage and rotate the key if you see unexpected activity. The source/homepage are missing; if provenance is important, ask the publisher for documentation or replace with a provider that publishes security and privacy details.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md documents a bidding/search API and the only required credential is ZLBX_API_KEY, which aligns with calling that external service.
- Instruction Scope
- noteRuntime instructions are limited to calling the documented HTTPS API endpoints and specifying the X-API-Key header. The SKILL mandates being used whenever bidding-related keywords appear (broad trigger), which is expected for this domain but may cause frequent external requests if not moderated.
- Install Mechanism
- okNo install steps or code are present (instruction-only), so nothing is written to disk or installed by the skill.
- Credentials
- okOnly one environment variable is required (ZLBX_API_KEY) and it's the documented API key for the external service — proportionate to the stated purpose.
- Persistence & Privilege
- okSkill does not request always:true and is not attempting to modify other skills or system settings; autonomous invocation is allowed by platform default but not escalated by this skill.