Back to skill
Skillv1.0.0
ClawScan security
精准寻标与获客引擎-寻标宝 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 11:32 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions match its stated purpose (calling a tender-data API using a single API key) and do not ask for unrelated credentials or installs, though the provider/source is not published so you should verify the service before use.
- Guidance
- This skill appears internally consistent: it simply calls an external tender-data API and requires one API key. Before installing, verify you trust the API provider (zhiliaobiaoxun.com/ai.zhiliaobiaoxun.com) since the registry metadata has no homepage or source repo. Limit the API key's permissions and rotate it if possible, do not hard-code the key, and confirm the provider's privacy/terms because returned data can include company contacts and other sensitive business information. If you need higher assurance, ask the publisher for a homepage, docs, or a repo link and test the API with a disposable key first.
Review Dimensions
- Purpose & Capability
- noteName/description describe tender sourcing and the SKILL.md documents a matching HTTP API (search_bids, get_company_partners, etc.). The single required env var (ZLBX_API_KEY) is appropriate for an API-backed skill. However the package lists no homepage or source repo, so the provider cannot be independently verified from the metadata.
- Instruction Scope
- okSKILL.md is an instruction-only spec that tells the agent to POST to the documented API endpoints with header X-API-Key. It does not instruct reading unrelated files, other environment variables, system paths, or exfiltrating data to unexpected endpoints.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). This minimizes on-disk execution risk.
- Credentials
- okOnly one environment variable is required (ZLBX_API_KEY) and it directly corresponds to the documented API Key header. No unrelated credentials or broad permissions are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes or other skills' configurations. Autonomous invocation is allowed (platform default) but not combined with unusual privileges.