Back to skill
Skillv1.3.2
ClawScan security
Qjzd Nav Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 3:50 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only router for the QJZD Nav CLI and its requirements and instructions are consistent with that purpose, but you should verify the qjzd-nav binary's provenance before use.
- Guidance
- This skill is internally consistent for controlling a local qjzd-nav CLI. Before installing or invoking it, verify that the qjzd-nav binary on your system is the official/trusted binary (check its source, checksum, or package manager). Be aware the CLI will read config files (e.g., ~/.config/qjzd-nav/config.json) and uses the OS keyring to store credentials — if you don't trust the binary, do not allow it to access those stores. If you want to be extra cautious, run qjzd-nav --help and a few safe read-only commands locally to inspect behavior before allowing an agent to invoke it autonomously.
Review Dimensions
- Purpose & Capability
- okThe skill describes a CLI router for QJZD Nav and only requires the qjzd-nav binary, which is exactly what you'd expect for this purpose. No unrelated binaries, env vars, or installs are requested.
- Instruction Scope
- noteSKILL.md stays within CLI usage (help, completion, commands) and references standard config locations ($QJZD_NAV_CLI_CONFIG_DIR, $XDG_CONFIG_HOME, $HOME) and system keyring storage. These references are expected for a CLI but do mean the agent (when running the qjzd-nav binary) may read config files and use the OS keyring for credentials.
- Install Mechanism
- okNo install spec is provided; this is instruction-only and will not download or write code. That is the lowest-risk install profile.
- Credentials
- okThe skill declares no required environment variables or credentials. The documented use of the system keyring and standard config paths is proportionate to a CLI that stores profiles and credentials.
- Persistence & Privilege
- okThe skill is not always-on and is user-invocable; it does not request elevated or persistent platform privileges nor indicate it will modify other skills or global agent settings.