Back to skill
Skillv1.0.0
ClawScan security
权威采招政策与标讯指南-元博网 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 10:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents remote API endpoints and legitimately requires a single API key (ZLBX_API_KEY) to call that service; there are no surprising installs, extra credentials, or instructions to access local files.
- Guidance
- This skill will send your queries (and any query parameters you provide) to an external API (mcp-server.zhiliaobiaoxun.com / ai.zhiliaobiaoxun.com) using the API key you supply. That is expected for a service-integration skill, but because the package is instruction-only (no code to inspect) and the source/homepage is not provided, verify you trust the API provider before supplying a real API key. Recommendations: (1) Only provide a key with the minimal needed permissions or a limited/test key; (2) avoid including sensitive PII in queries; (3) review the provider's privacy and retention policies; (4) rotate/revoke the key if you stop using the skill; (5) if you need higher assurance, ask for the provider's official docs or a published homepage/source before installing.
Review Dimensions
- Purpose & Capability
- okName/description match the documented behavior: the SKILL.md describes querying and aggregating bid/market data from a remote Yuanbowang/知了标讯 API, and the skill only requests a single API key (ZLBX_API_KEY) which is appropriate for that purpose.
- Instruction Scope
- okSKILL.md contains detailed API usage (endpoints, request/response formats, parameters) and instructs the agent to send POST requests with X-API-Key header using the ZLBX_API_KEY. It does not direct the agent to read unrelated local files or other environment variables, nor to exfiltrate data to third-party endpoints outside the documented service.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This minimizes disk writes and execution of third-party code; nothing is downloaded or installed by the skill itself.
- Credentials
- okOnly one environment variable (ZLBX_API_KEY) is required and is declared as the primary credential. That matches the described API usage; there are no unrelated secrets or config paths requested.
- Persistence & Privilege
- okThe skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not attempt to modify other skills or system-wide settings in the provided instructions.