Skillv1.0.0

ClawScan security

酷安社区搜索 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 8:24 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested actions and files are consistent with a CLI wrapper for Coolapk; the only notable risk is that it directs installing an external PyPI package (coolapk-mcp), which is expected for this functionality but carries the usual code-installation risks.
Guidance: This skill appears coherent for providing Coolapk search and interaction via the coolapk CLI, but it requires installing the external PyPI package `coolapk-mcp`. Before installing or supplying login cookies: 1) review the coolapk-mcp project source (the README references https://github.com/lniosy/coolapk-mcp) to verify authorship and behavior; 2) prefer installing inside an isolated virtualenv or container rather than system Python to limit impact; 3) avoid pasting full persistent credentials into untrusted environments — use a disposable session cookie if possible and be prepared to revoke it if compromised; 4) inspect the created config file (~/.coolapk-mcp/config.json) after first run to confirm no unexpected secrets are stored or exfiltrated; 5) if you cannot verify the PyPI package, consider running the CLI from a checked-out repository copy or skip installation.

Purpose & Capability: okName/description match the instructions: the SKILL.md documents use of a coolapk CLI to search posts, users, apps, and topics. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: okInstructions stay within the stated purpose: searching and interacting with Coolapk via the coolapk CLI. They mention creating a local config (~/.coolapk-mcp/config.json) and using a cookie string for login — both are expected for this kind of tool and limited in scope.
Install Mechanism: noteThere is no formal install spec, but the SKILL.md instructs users/agents to run `pip install coolapk-mcp`. Installing a third-party PyPI package is reasonable for a CLI wrapper, but pip installs execute arbitrary code from PyPI, so this is a code-execution risk if the package or its dependencies are malicious or compromised.
Credentials: okThe skill does not request environment variables or unrelated credentials. The only sensitive input is a site login cookie provided by the user for interactive actions — this is proportionate to performing likes/replies/follows.
Persistence & Privilege: okalways is false and the skill only indicates creating a per-user config file in the user's home (~/.coolapk-mcp/config.json). It does not request system-wide changes or other skills' configs.