Back to skill
Skillv1.0.0
ClawScan security
UAPI 查询 GitHub 仓库 接口 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 8:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only wrapper for a single UAPI endpoint (GET /github/repo); its requested access and behavior match its description and it does not ask for extra credentials or install anything.
- Guidance
- This skill is a thin wrapper around UAPI's GET /github/repo endpoint and appears coherent. Before enabling: (1) know that API calls go to https://uapis.cn/api/v1, (2) no credentials are required by default but you may need to provide a UAPI Key if you hit rate limits, and (3) consider whether any repository identifiers you send contain sensitive info (the endpoint is intended for public repo queries). If you need to audit network or data handling more strictly, request the maintainer's integration details or test with non-sensitive queries first.
Review Dimensions
- Purpose & Capability
- okThe skill's name and description state it wraps the UAPI GET /github/repo endpoint, and all included files (SKILL.md and references) describe only that endpoint and related guidance. There are no unrelated permissions, binaries, or secrets requested.
- Instruction Scope
- okRuntime instructions only direct the agent to verify parameters, read bundled reference docs, and call the UAPI endpoint. They do not instruct reading local files, environment variables, or sending data to unexpected endpoints beyond the documented Base URL (https://uapis.cn/api/v1).
- Install Mechanism
- okNo install spec or code files that would be written to disk are present; this is an instruction-only skill (lowest install risk).
- Credentials
- okThe skill declares no required environment variables or credentials. It sensibly notes that an optional UAPI Key may be needed if rate limits are hit—this is proportional to calling a third-party API.
- Persistence & Privilege
- okalways is false and the skill has no install-time persistence or requests to modify other skills or system settings.