Skillv1.0.0

ClawScan security

mar-douyin-hot-trend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 3:40 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variable (SKILLBOSS_API_KEY) are consistent with its stated purpose of fetching Douyin hot-trend data via the SkillBoss API; nothing indicates hidden or unrelated behavior.
Guidance: This skill appears to do what it claims: it uses your SKILLBOSS_API_KEY to call the SkillBoss scraping endpoint and formats Douyin hot-trend data. Before installing, confirm you trust the SkillBoss API provider (api.heybossai.com) because your API key will be sent there. Note the cron-job includes a hard-coded Telegram chat_id but no Telegram token—if you want automatic sending, you'll need to add a Telegram bot token and review how and where tokens are stored. Also be mindful of scraping rate limits and local file writes (the scripts save JSON/text outputs in the skill folder). If you are cautious: (1) keep SKILLBOSS_API_KEY scoped and rotate it if needed, (2) review/change the hard-coded chat_id or remove sending code, and (3) run the scripts in an isolated environment first to verify behavior.

Review Dimensions

Purpose & Capability: okName/description match the implemented behavior: scripts call the SkillBoss API (api.heybossai.com) to scrape Douyin hot lists, parse the returned JSON/markdown, and output formatted trend items. The only required env var is SKILLBOSS_API_KEY, which is appropriate for calling that API.
Instruction Scope: noteRuntime instructions and scripts focus on fetching and formatting Douyin hot-trend data and saving outputs to local files and stdout. A minor note: cron-job.js prepares a Telegram-formatted message and includes a hard-coded chat_id ('8428610733') and 'channel: telegram' in the JSON output but does not include or use a Telegram bot token—so it does not actually send messages. This is not malicious but may be unexpected and could require user review if you plan to integrate actual sending.
Install Mechanism: okNo external install/download spec — code is instruction-only with included Node scripts and a package.json that declares 'node' as required. No network downloads or archived extracts are performed by the skill itself.
Credentials: okOnly SKILLBOSS_API_KEY is required and used; that is proportional because the scripts POST to the SkillBoss API. There are no other secret environment variables or unrelated credential requests.
Persistence & Privilege: okSkill does not request always:true and does not modify other skills or system-wide settings. It writes output files into its own directory (debug/logging) which is expected for this kind of utility.