招投标商机监控雷达-标标达
PassAudited by ClawScan on May 9, 2026.
Overview
This is a coherent tender-analysis API skill, but users should notice it needs a service API key and sends business search queries to an external provider.
Before installing, confirm you trust the 标标达/知了标讯 API provider, configure a dedicated ZLBX_API_KEY, and avoid sending confidential business strategy or private bid plans through the skill. For ambiguous company names, ask the agent to show or confirm the matched companies before running broad analyses.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
For ambiguous company names, the agent may query and analyze more companies than the user intended, which can affect result accuracy and consume API quota.
The documented company-search workflow automatically expands a user’s company name to related headquarters and subsidiaries and chains that into later queries without confirmation.
自动匹配,无需用户确认... 自动将所有相关公司 fullname 列表用于后续 query_bids_advanced 查询... 无需用户介入确认
For broad or ambiguous company names, ask the user to confirm the matched company list or clearly state the expansion assumptions in the answer.
API calls may consume the user’s provider quota or act under the user’s account for this tender-data service.
The skill requires a service API key and says it may be read from the environment or agent configuration.
Headers: X-API-Key: $ZLBX_API_KEY ... 从环境变量 `ZLBX_API_KEY` ... 从Agent配置文件中读取。
Use a dedicated ZLBX_API_KEY with the minimum needed scope, store it only in the approved environment/config location, and rotate or revoke it if exposed.
A user reviewing only registry requirements might miss that the skill needs a credential before reading the skill text.
The registry-style requirements shown do not declare a required credential, while capability signals and SKILL.md indicate the skill needs ZLBX_API_KEY.
Required env vars: none ... Primary credential: none ... Capability signals: requires-sensitive-credentials
Update registry metadata to explicitly declare ZLBX_API_KEY as the primary credential so installation expectations match the skill instructions.
Business search terms, target companies, competitor names, and project interests may be disclosed to the API provider or search provider during analysis.
The skill is designed to send user-specified tender, company, product, and competitor queries to an external API and may supplement with web search.
基础 URL: `https://mcp-server.zhiliaobiaoxun.com/api_v2/{工具名}` ... 以下场景建议结合 WebSearch 补充分析Avoid including confidential strategy, private customer lists, or non-public bid plans in prompts unless the external provider is approved for that data.