Back to skill
Skillv1.0.0
ClawScan security
卖家之家(跨境电商)技能商城(skillhub/clawhub/搜技能/热门技能/免费技能/付费技能) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 3:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it only directs the agent to call two public, unauthenticated APIs on data.mjzj.com for searching and listing skills and does not request credentials, install components, or local file access.
- Guidance
- This skill appears coherent and low-risk: it only performs read-only queries against public endpoints on data.mjzj.com and asks for no secrets or installs. Before installing, you may want to: (1) confirm you trust the homepage (https://skillhub.mjzj.com) and data.mjzj.com since queries will send search terms to that domain; (2) review any runtime text returned by the backend (installSkillPrompt) before following external install instructions; and (3) be aware that the agent may call those public APIs automatically when user queries match the skill's trigger conditions. If you require stronger privacy guarantees, restrict autonomous invocation or vet the remote service first.
Review Dimensions
- Purpose & Capability
- okThe name/description (a skill marketplace search helper) matches the instructions: calling /api/skill/groupLabels and /api/skill/query to list and filter skills. No unrelated resources, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md limits runtime behavior to public HTTP GET calls to the two documented endpoints and guidance on parameters and error handling. It does not instruct reading local files, environment variables, or sending data to third-party endpoints.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only, so nothing is written to disk or installed.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. It uses only public, unauthenticated APIs as documented in SKILL.md.
- Persistence & Privilege
- okalways is false and there is no instruction to modify agent configuration or persist tokens. The skill can be invoked autonomously (platform default), which is expected for a query helper.