Skillv1.0.0

ClawScan security

媒体广告流量分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 9:08 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with its stated purpose (submitting and downloading ad-traffic analysis tasks from a MediaInsight service); nothing in the package requests unrelated credentials or installs unexpected components.
Guidance: This skill is coherent for querying MediaInsight ad-traffic data: it decodes a MediaInsight JWT (the demo token is bundled), extracts username/password from the token's 'sub' field, logs in to the specified API host, submits tasks, and can download and extract ZIP reports. Before using it, consider: 1) only supply a JWT you trust (the scripts will use the embedded username/password and may write session cookies to disk); 2) prefer using the demo token for testing and your own token only when necessary; 3) be aware the scripts write session/payload/report files to the current directory (or paths you provide) and will contact the DEFAULT_BASE_URL host — verify that URL is intended; 4) the README contains an external account-creation link (a short/third-party URL) — do not share credentials through unknown sites. If you need a deeper review, provide the full truncated portions of the client and submit scripts so I can inspect any remaining logic (e.g., additional endpoints or unexpected data uploads).

Review Dimensions

Purpose & Capability: okName/description describe ad-traffic analysis and the repository contains scripts and a client that talk to a MediaInsight API (submit task, check status, download report). Required inputs (a MediaInsight JWT or credentials) align with that purpose; no unrelated services or binaries are requested.
Instruction Scope: noteSKILL.md and scripts instruct the agent to decode a JWT, extract username/password from the JWT 'sub' field, log in to the MediaInsight API, resolve visible dictionary entries, submit tasks, and download result zips. This is within the advertised scope. Note: extracting username/password from a JWT 'sub' is unusual — it is consistent with this service's expected workflow but is sensitive (the scripts will use and may persist those credentials).
Install Mechanism: okNo install specification; this is instruction + pure Python scripts. Nothing is downloaded from arbitrary URLs during install. The package requires network access to the service domain (DEFAULT_BASE_URL) at runtime.
Credentials: noteThe skill requires a MediaInsight JWT (or a file/path to one) which the scripts decode to obtain username/password; no other environment variables or secrets are requested. That credential requirement matches the skill's needs, but users should be mindful that a JWT containing raw credentials is sensitive and will be used/stored by the scripts.
Persistence & Privilege: okThe skill does not request elevated platform privileges, does not set always:true, and will not autonomously install itself. It persists a session file (cookies) and optionally writes a payload file or extracted report files to disk — behavior described in SKILL.md and confined to the skill's own session/payload/report files.