Back to skill
Skillv1.0.0
ClawScan security
招投标商机监控雷达-标标达 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 11:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only adapter for an external tender-opportunity API and only requests a single API key appropriate to that purpose.
- Guidance
- This skill appears to be a straightforward API adapter. Before enabling it: 1) Confirm you trust the external service (ai.zhiliaobiaoxun.com / mcp-server.zhiliaobiaoxun.com) and review its privacy/retention and terms; 2) Provide a least-privilege API key (scoped/rotatable) rather than a broad/high-privilege secret; 3) Be aware that any queries you send (search terms, company names, documents) will be transmitted to that external API; avoid sending sensitive secrets or PII unless you’ve verified the provider’s handling; 4) Monitor API key usage and billing (the docs mention call quotas); 5) If you want to limit autonomous activity, restrict agent invocation policies or require explicit user consent before the agent calls the skill.
Review Dimensions
- Purpose & Capability
- okName/description describe a tender-opportunity monitoring service and the SKILL.md documents a matching HTTP API with endpoints for search, company analysis, and aggregation. Requiring a single ZLBX_API_KEY is appropriate for this stated purpose.
- Instruction Scope
- okRuntime instructions only describe forming POST requests to the documented API host, using the ZLBX_API_KEY in an X-API-Key header, and parsing returned fields. The instructions do not request unrelated files, system paths, or other environment variables.
- Install Mechanism
- okNo install spec or code is included (instruction-only). Nothing is downloaded or written to disk by the skill itself, minimizing install-time risk.
- Credentials
- okThe skill declares a single required credential (ZLBX_API_KEY) and uses it to call the external API. There are no unrelated credentials, excessive env variables, or config paths requested.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request elevated persistence. It is user-invocable and can be called autonomously by the agent (platform default), which is expected for a service integration.