Back to skill
Skillv1.0.2
ClawScan security
Vocab Deep Dive - 单词深度解析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 4:24 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only vocabulary helper that uses the LLM by default and optionally queries a public dictionary API; its requested capabilities align with its stated purpose and it does not ask for credentials or elevated privileges.
- Guidance
- This skill appears coherent and low-risk: it mainly relies on the LLM and may optionally call the public DictionaryAPI (https://api.dictionaryapi.dev) to verify pronunciations/definitions. Before installing, note: (1) any word you send could be included in outbound requests to that public API — avoid submitting secrets or sensitive data; (2) example sentences and exam advice are generated by the LLM and can hallucinate, so ask for verification or enable the API check for critical cases; (3) the skill has no special system access or credentials requested. If you want stricter guarantees, request that the skill only use the dictionary API when you explicitly ask for verification and/or review logs of external calls.
Review Dimensions
- Purpose & Capability
- okName/description (deep vocabulary analysis for learners/IELTS) match the SKILL.md. The only external resource mentioned is a public dictionary API for verification, which is appropriate and proportional.
- Instruction Scope
- okRuntime instructions stay within scope: generate definitions, examples, collocations, etc., primarily from the LLM and optionally call the specified dictionary API to verify phonetics/definitions. There are no instructions to read local files, access unrelated env vars, or exfiltrate data to unexpected endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes disk writes and attack surface.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The optional web_fetch to api.dictionaryapi.dev is consistent with the stated need to verify dictionary data.
- Persistence & Privilege
- okalways is false and there are no special persistence or cross-skill config modifications. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges here.