ClawHub
Back to skill
v1.0.0

jike-data-service

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:11 AM.

Analysis

This looks like a coherent Douyin marketing-data client, but it needs review because its check command can reveal the API key and it includes remote state-changing keyword commands.

GuidanceReview before installing. If you use it, keep the base URL pointed at a trusted service, prefer an environment variable for the API key, avoid sharing `check` command output, and require confirmation before adding or deleting monitored keywords.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
| 添加监控关键词 | `keywords add` | 添加新关键词到监控列表 | ... | 删除关键词 | `keywords delete` | 从监控列表删除关键词 |

The skill exposes documented commands that change the remote monitoring keyword list. This fits the marketing-data purpose, but it is still a mutating action.

User impactThe agent could add or remove monitored keywords in the service, affecting what the marketing team tracks.
RecommendationRequire explicit user confirmation before running `keywords add` or `keywords delete`, especially in shared or production monitoring lists.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
scripts/ry-data.py
if key: print(f"Key:      {key[:8]}...{key[-4:]}" if len(key) > 12 else f"Key: {key}")

The check command emits the configured API secret in output: partially for longer keys and fully for keys of 12 characters or fewer. Routine diagnostic output should not reveal secrets.

User impactIf the agent runs the check command, the API key or enough of it to be sensitive may appear in the conversation or saved command output.
RecommendationDo not print API keys in check output; show only whether a key is configured, or redact all but a very small non-sensitive marker. Rotate the key if it has been exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
scripts/ry-data.py
url = f"{base}{path}" ... headers["X-API-Key"] = secret_key ... urllib.request.urlopen(req, timeout=30)

The script sends user queries and the API key to the configured external API endpoint. This is expected for the service, but users should understand that data leaves the local environment.

User impactSearch terms, account identifiers, and API credentials are transmitted to the configured ry-api service or any configured base URL.
RecommendationUse only a trusted base URL, keep the API key scoped to this service, and avoid submitting sensitive internal strategy terms unless the provider is approved for that data.