Skillv1.0.0

ClawScan security

venue-polling · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 3:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions largely match its stated purpose (polling and signature debugging), but it uses credentials and local private-key material that are not declared and can perform live requests (including creating orders), which is disproportionate and requires caution.
Guidance: This skill appears to do what it says (poll venue availability and help debug signing), but it reads a local rsa_private_key.pem and contains a hardcoded API token — neither of which are declared in the metadata. Before running it: (1) review the code yourself or have someone you trust review it; (2) do not place your real private key or production tokens in the working directory unless you trust the code and the remote endpoint; (3) remove or replace the hardcoded TOKEN and prefer an environment variable if you must supply credentials; (4) run signature-replay and verification helpers offline first (they won't contact the network) before enabling AUTO_BOOK; (5) run the scripts in an isolated environment (container/VM) and monitor outbound network traffic; and (6) be aware running venue_polling.py with AUTO_BOOK=True will attempt to create real orders on the external service, which could have financial or account consequences.
Findings: [base64-block] expected: A base64 block was detected by the pre-scan. This is expected here: the scripts and captured request include a Base64-encoded RSA signature constant used for signature verification/replay. The flagged pattern likely corresponds to the captured X-Ca-Signature or other signature material in the scripts/references rather than a prompt-injection attempt.

Review Dimensions

Purpose & Capability: noteThe name/description match the included scripts: venue_polling.py (polling + auto-booking), signature_replay_test.py and public_key_verify_test.py (offline signature debugging). The skill talks to a real external endpoint (shop.chuanshatiyuchang.cn) and includes captured requests and analysis notes — all consistent with a reverse-engineering / booking helper. However, the code embeds a hardcoded token constant (TOKEN = "0cd5cb6b21fc410dbd81bc3e6a066614") and expects a local rsa_private_key.pem file (not declared as a required credential). The presence of an embedded token and an expectation to place a private key in the working directory are not declared in the skill metadata and are disproportionate to an instruction-only skill that lists no required credentials.
Instruction Scope: okSKILL.md stays on-topic: it directs the agent to read and modify the provided scripts and to use the captured references for context. It explicitly notes the scripts expect rsa_private_key.pem. It does not instruct reading unrelated system files. One caveat: the instructions encourage modifying and running bundled scripts, which — coupled with the included code — will cause outbound network requests and possibly create live orders. The agent should not run the auto-booking behavior without explicit user consent.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is written to disk by an installer. However, the shipped Python scripts require third-party libraries (requests, cryptography) that are not declared in metadata. Running the scripts will execute code on the host and perform network I/O; users should ensure dependencies are installed from trusted sources and run in an isolated environment if needed.
Credentials: concernThe skill metadata declares no required environment variables or credentials, but the code contains an embedded 'token-user' value and reads rsa_private_key.pem from the working directory. These are sensitive: the token is effectively a credential for the external API and the private key can sign requests. The skill thus expects or uses credentials without declaring them, which is a disproportionate and unexpected privilege request and increases risk of unintended transactions or secret exposure.
Persistence & Privilege: noteThe skill is not marked 'always' and is user-invocable. It allows autonomous model invocation (the platform default), which by itself is normal. Combined with the credential/secret handling and the ability to send signed createOrder requests, autonomous runs could perform actions (e.g., place orders) if the private key or token are accessible — so run with caution and avoid granting it access to live secrets without review.