Back to skill
Skillv1.0.2
ClawScan security
远行商人库存查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 6:07 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement the described merchant-inventory query, but metadata omits the required API key and the script sends that key to an external host (wegame.shallow.ink), so verify the API provider before trusting keys.
- Guidance
- This skill's code and instructions match its stated purpose (fetching current merchant inventory). However: 1) the registry metadata does not declare the required ROCOM_API_KEY even though SKILL.md and the script require it — treat that as a documentation/manifest bug. 2) The script sends whatever API key you provide to https://wegame.shallow.ink with header X-API-Key; before supplying any sensitive key, verify the API host and the referenced GitHub 'Entropy-Increase-Team' project to ensure the key provider is trustworthy. 3) Prefer using a throwaway or scoped API key (not a personal/global secret). 4) If you need higher assurance, inspect/run the script locally (it is small and readable) and confirm network traffic to the expected endpoint. Fixing the manifest to declare ROCOM_API_KEY would increase transparency and confidence.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the code and instructions: the Python script queries a game merchant API and filters active items. However the registry metadata claims 'Required env vars: none' while SKILL.md and scripts require ROCOM_API_KEY — a metadata omission/inconsistency.
- Instruction Scope
- okSKILL.md and the script are narrowly scoped: they require Python + requests, call a single remote endpoint (https://wegame.shallow.ink/api/v1/games/rocom/merchant/info?refresh=true) with header X-API-Key, and format output as text/JSON. There are no instructions to read unrelated files or exfiltrate extra data.
- Install Mechanism
- okNo install spec; this is instruction + a small Python script. Nothing is downloaded or installed by the skill itself.
- Credentials
- concernThe script requires an API key (ROCOM_API_KEY) which is appropriate for calling the remote API, but the skill metadata failed to declare it. The key is sent directly to an external domain (wegame.shallow.ink). Confirm the legitimacy of the API provider and do not reuse high-privilege credentials.
- Persistence & Privilege
- okSkill is not marked always:true and does not request system-wide changes or persistent agent privileges. It simply runs a one-shot Python script; autonomous invocation is allowed by default but not otherwise privileged.