Skillv2.2.0

ClawScan security

建站骨架 (EdgeOne Pages) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 3:09 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill’s code matches its stated purpose (generate and deploy a full stack site to EdgeOne Pages) but the package metadata omits many required environment bindings/credentials and contains optional telemetry/forwarding points that could be abused — the mismatch and missing declarations are concerning.
Guidance: This skill appears to implement what it claims, but the package metadata fails to declare many environment variables and bindings the code expects. Before installing or deploying: 1) Do not supply credentials blindly — identify and provision the required secrets yourself (DATABASE_URL, JWT_PRIVATE_KEY/JWT_PUBLIC_KEY or JWT_SECRET, payment merchant keys for WeChat/Alipay, AI_API_KEY, KV binding, SITE_URL). 2) Review analytics forwarding: the Edge analytics function can optionally forward events to ANALYTICS_ENDPOINT — ensure that is not set to a third‑party you don't trust. 3) Deploy in an isolated/staging EdgeOne account with limited privileges and test with mock payment integration before using real merchant credentials. 4) Inspect and, if necessary, audit code paths that handle JWT signing/verification, payment callback paths, and any code that writes or forwards telemetry to external endpoints. 5) Ask the publisher to update skill metadata to list required env vars and explain where they are used; absence of declared env vars is the main coherence problem here. If you cannot verify these points, treat the skill as potentially risky and avoid providing production credentials.

Review Dimensions

Purpose & Capability: okName/description promise (generate full front/back site and deploy to EdgeOne Pages) aligns with the included files: templates, edge-functions, cloud-functions, deployment docs and scripts. The code is coherent with an EdgeOne Pages deployment workflow.
Instruction Scope: noteSKILL.md and supporting references drive build/deploy to EdgeOne Pages and explain runtime responsibilities (Edge vs Cloud). The runtime instructions expect use of the edgeone CLI and platform deployment. They do not instruct indiscriminate system-wide access, but they assume the agent/operator will provide platform credentials and environment configuration (DB URL, JWT keys, payment credentials) which are sensitive and not declared in metadata.
Install Mechanism: okThere is no install spec (instruction-only skill + packaged code files). That is lower-risk than pulling arbitrary binaries or downloads. The repository contains code and scripts but no automatic external installers are configured in the manifest.
Credentials: concernThe skill metadata declares no required env vars or credentials, but code clearly expects many sensitive environment bindings: DATABASE_URL (MySQL), platform KV binding (env.KV), JWT_PRIVATE_KEY/JWT_PUBLIC_KEY/JWT_SECRET, AI_API_KEY, optional ANALYTICS_ENDPOINT, SITE_URL, and payment/merchant credentials for WeChat/Alipay. Payment callbacks, DB access, and JWT private keys are high-sensitivity secrets — the manifest should declare them. This omission is a significant mismatch and a risk: installing or running the skill will require providing secrets that were not documented in the skill metadata.
Persistence & Privilege: okSkill is not force-included (always: false) and does not request special platform privileges in metadata. It does not appear to modify other skills or global agent settings. Autonomous invocation is allowed (default) but not, by itself, an additional red flag here.