Skillv1.0.0

ClawScan security

跨境电商选品工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 6, 2026, 7:49 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The package is coherent with its stated purpose (keyword analysis, profit calc, AI listing) and contains no obvious attempts to exfiltrate secrets or perform unrelated actions, though there are a few minor mismatches and operational gotchas you should know before running it.
Guidance: This package appears to do what it claims: keyword mocks, competitor mocks, profit math, and optional OpenAI-based listing generation. Things to consider before installing/running: - OPENAI_API_KEY is optional but if you provide it the app will send product/keyword data to OpenAI — only supply it if you trust the code and runtime environment. - The README/Docker examples mention MySQL/Redis and show an insecure default password in an example; those are optional but avoid using insecure defaults in production. - setup.sh only installs flask and flask-cors; run pip install -r requirements.txt (in a venv) before using features that need openai/redis/pymysql. - The competitor scraper and keyword analyzer currently use simulated/mock data; they do not perform live scraping by default. - Run the service in an isolated environment (virtualenv or container) and inspect the code if you plan to provide real API keys or expose it to the internet. If you want, I can point out exact lines where OpenAI is used and suggest a minimal, safe command to run it in offline/mock mode.

Review Dimensions

Purpose & Capability: noteThe code, README and SKILL.md all align: keyword analysis, competitor mock data, profit calculator and optional OpenAI-based listing generation. The skill does not request unrelated credentials. Minor inconsistency: requirements.txt includes DB/Redis libraries and Docker examples show MySQL/Redis usage (optional), but runtime code uses mock data by default; real integrations are optional and documented.
Instruction Scope: okRuntime instructions (CLI and HTTP API) and SKILL.md stay within the described domain. The code does not read arbitrary system files or attempt to collect unrelated environment data. If an OPENAI_API_KEY is provided the service will call OpenAI; otherwise it falls back to mock data.
Install Mechanism: noteNo registry install spec is provided (low risk). A setup.sh exists but installs only flask and flask-cors rather than the full requirements.txt. There are no external download URLs or archive extracts; all source is included in the package. You should update the install steps to pip install -r requirements.txt before use.
Credentials: noteThe package metadata declares no required env vars, which is consistent with the tool working in mock mode; however the code optionally uses OPENAI_API_KEY (to call OpenAI) and docs show optional DB/Redis environment settings. Requiring an OpenAI key is proportional to the optional AI Listing feature but you should not supply keys unless you trust the runtime environment.
Persistence & Privilege: okNo special persistence or elevated privileges are requested. always:false and agent-autonomy defaults are fine. The skill does not modify other skills or system-wide configuration.