Back to skill
Skillv1.0.2
ClawScan security
卖家之家(跨境电商)平台一体化服务助手(服务商、物流、服务产品、技能商城、货盘、资讯、问答、供需、私信、全球开店、活动) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 3:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent with its stated purpose: it documents API endpoints for mjzj.com and only requests a single platform API key (MJZJ_API_KEY) which is appropriate for the claimed operations.
- Guidance
- This skill appears coherent and only needs your MJZJ_API_KEY to call mjzj.com APIs. Before installing: (1) Only provide an API key you obtained from the official site (https://mjzj.com/user/agentapikey). (2) Understand that the key allows actions like sending private messages and creating posts — treat it like a password and revoke/rotate it if you suspect misuse. (3) If you don't want the agent to act autonomously on your behalf (posting/sending messages), disable autonomous invocation or avoid storing the key. (4) Confirm the agent will call the API under the official domain (https://mjzj.com) and not exfiltrate the key to other endpoints.
Review Dimensions
- Purpose & Capability
- okThe name, description, and listed API endpoints all match a cross‑border e‑commerce platform assistant. Requesting MJZJ_API_KEY as the primary credential is appropriate for performing user-scoped actions (posting, private messages, etc.). No unrelated services, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md stays within the platform's scope (searching providers, posting content, sending messages). It instructs use of Authorization for private actions and gives a token refresh URL. Minor omission: endpoints are listed as '/api/...' without an explicit base URL in every example (homepage is provided, so the base is implied as https://mjzj.com).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk and no external packages are downloaded.
- Credentials
- okOnly one required environment variable (MJZJ_API_KEY) is declared and used. That single credential is proportionate to the described capabilities (authenticated API calls such as sendMessage, create content).
- Persistence & Privilege
- okSkill is not marked always:true and requests no system-level persistence or access to other skills' configs. Model invocation is enabled (normal default); be aware that with an API key present the agent could perform authenticated actions if invoked.