Back to skill
Skillv1.0.0
ClawScan security
热门标讯挖掘助手-火标网 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 11:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and coherently requests a single API key for the described Huobiaowang tender-mining APIs; nothing in the SKILL.md or metadata suggests unexplained or disproportionate access.
- Guidance
- This skill is instruction-only and appears internally consistent, but it will send whatever you query to the external Huobiaowang API using the provided API key. Before installing: (1) Verify you trust the API provider (zhiliaobiaoxun.com / mcp-server.zhiliaobiaoxun.com) and review their privacy/TOS; (2) Use a dedicated API key with the minimum scope and quotas you need; (3) Avoid sending sensitive secrets or unrelated confidential data in queries; (4) Monitor API usage and rotate the key if you see unexpected calls; (5) Remember there is no code to audit here—behavior is entirely determined by the runtime instructions and the external service.
Review Dimensions
- Purpose & Capability
- okName/description (trending tender miner for Huobiaowang) align with the declared requirement: a single API key (ZLBX_API_KEY) to call the documented API endpoints. Required items are proportional to the stated purpose.
- Instruction Scope
- noteSKILL.md contains explicit HTTP POST API usage (base URL: https://mcp-server.zhiliaobiaoxun.com/api_v2/...), parameters, and response formats. The instructions do not ask the agent to read unrelated files, other env vars, or local system state. Note: the skill will send user query data to an external service (the provider's API), so user data entered into queries will be transmitted off-host.
- Install Mechanism
- okNo install spec and no code files (instruction-only). Nothing is written to disk or downloaded by the skill itself, minimizing installation risk.
- Credentials
- okOnly a single environment variable (ZLBX_API_KEY) is required and it is the primary credential for the advertised API. There are no unrelated credentials or config paths requested.
- Persistence & Privilege
- okalways:false and standard autonomous invocation settings. The skill does not request permanent/always-on presence or special agent-level privileges.