Skillv1.1.0

ClawScan security

数字大脑工厂 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 8:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and basic code mostly match an AI governance/review service, but there are several incoherent or risky elements (inserting user-home paths into sys.path, inconsistent metadata about payment/wallet, and examples that POST to localhost or arbitrary callback URLs) that warrant caution before use.
Guidance: This skill mostly looks like a governance/review service, but there are red flags you should address before installing or invoking it: - Ask the author to explain/remove the sys.path.insert lines in scripts/billing.py. Inserting user-home directories into sys.path is unnecessary here and could cause arbitrary local code to run. Require them to import explicit modules or bundle needed code instead. - Clarify the payment/wallet behavior: SKILL.md says requires_wallet: true but the registry lists no credentials. Who processes payments and where are API keys stored? Don’t provide real payment credentials until this is clear. - Treat callback_url as risky: avoid passing sensitive content or using callback URLs you do not control. Prefer synchronous responses or a well-audited server endpoint you control. Be especially cautious of examples that call 127.0.0.1 — those could be used to poke local services (SSRF-style risk). - Request identity and provenance: the skill has no homepage and an unknown source/owner. Ask for a verifiable author contact, code provenance, and a signed release or repository. - Run the code in an isolated sandbox first: review and run the scripts in a container or VM with no access to sensitive networks or credentials. Inspect any modules that would be loaded from the inserted paths. - If you plan to use payment features, require clear, auditable integration with a known payment provider (no reliance on local user paths), and ensure payment verification logic is implemented server-side under your control. If the author can satisfactorily justify the sys.path usage, fix the metadata inconsistencies (wallet/API key handling), and constrain callback destinations, the skill becomes much more reasonable. Until then, treat it as suspicious and avoid running it in production or on machines with sensitive data.
Findings: [sys_path_insert_user_home] unexpected: scripts/billing.py calls sys.path.insert with paths under the user's home directory (~/v19_cognition/...), which is unnecessary for simple pricing/payment validation and could cause imports to execute arbitrary local code. This is not expected for a small billing helper and increases attack surface. [callback_url_arbitrary_post] unexpected: SKILL.md defines an optional callback_url parameter and provides examples that assume results are POSTed back. Arbitrary callback endpoints allow data (potentially sensitive) to be sent to third parties or to internal network endpoints; this is a common exfiltration vector and should be justified and constrained.

Review Dimensions

Purpose & Capability: noteThe name/description (AI cognition governance, paper review, system audit) align with the included code (api_handler.py, billing.py) and pricing.json. However SKILL.md declares requires_wallet: true and a gateway host while the registry metadata lists no required credentials or env vars — this mismatch is unexplained. Also governance_protocol.md mentions obtaining an API Key via external channels but no API key or auth is declared in the manifest.
Instruction Scope: concernSKILL.md instructs the agent to POST to external endpoints (api.v19-cognition.com and clawtip.jd.com) and includes examples that call localhost (127.0.0.1:8700). The skill accepts an optional callback_url parameter — if used the service (or an agent invoking the skill) would send data to an arbitrary URL, which can be abused for data exfiltration or to make the agent contact local network services. The SKILL.md also says 'results will be returned via callback address' but the included code doesn't implement callback logic; the combination of examples and optional callback_url increases risk.
Install Mechanism: okThere is no install spec (instruction-only plus two small scripts). Nothing is downloaded or extracted during install, which reduces risk.
Credentials: concernNo environment variables or credentials are declared in the registry, yet SKILL.md flags requires_wallet: true and governance_protocol.md describes obtaining an API Key. The billing.py file inserts two user-home directories into sys.path (~/v19_cognition/...), which is disproportionate and suspicious: it means the module will prefer loading code from those user-controlled paths if imported, increasing the chance of executing unexpected local code or depending on local payment modules.
Persistence & Privilege: okalways is false and the skill is user-invocable only; there is no install-time mechanism that writes persistent system-wide config. The skill does not request permanent presence or modify other skills' settings.