Back to skill
Skillv1.0.0
ClawScan security
UAPI 程序员历史事件 接口 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 7:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a simple, instruction-only wrapper for a single public GET /history/programmer endpoint and its declared requirements and instructions align with that purpose.
- Guidance
- This skill appears coherent and low-risk: it only documents and wraps a public GET /history/programmer endpoint. Before installing, confirm you trust the remote API host (https://uapis.cn) and avoid sending any sensitive or secret data (passwords, API keys, personal identifiers) in requests to that endpoint. Be aware the agent may call the skill autonomously (implicit invocation is allowed); if you require tighter control, restrict autonomous skill use in your agent settings. If you expect to provide a UAPI Key, verify how and where the key will be stored or transmitted by your environment (the skill itself does not declare any storage behavior).
Review Dimensions
- Purpose & Capability
- okName, description, and included reference files all describe a single UAPI endpoint GET /history/programmer. There are no unrelated environment variables, binaries, or external services declared that would contradict the stated purpose.
- Instruction Scope
- okSKILL.md directs the agent to read local reference docs and to call the public API endpoint (base URL https://uapis.cn/api/v1). It asks the agent to validate parameters and to request a UAPI Key only if the API signals rate limits — no instructions to read arbitrary files, secrets, or system state outside the skill's files.
- Install Mechanism
- okThis is instruction-only with no install spec and no code files to write to disk. Lowest-risk install profile.
- Credentials
- okThe skill requests no environment variables or credentials up front. It mentions that a UAPI Key might be needed if the endpoint limits anonymous access — that is proportionate and expected for a third-party API wrapper.
- Persistence & Privilege
- okalways is false. agents/openai.yaml allows implicit invocation (allow_implicit_invocation: true), which is normal for skills and not a concern by itself. The skill does not request system-wide config changes or persistent privileges.