ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HSCIQ MCP - 海关编码查询

提供中国、日本和美国海关编码查询、税率及申报要素查询,支持商品归类实例和CIQ项目搜索。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 19 · 0 current installs · 0 all-time installs
by@toucao
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description match the code and instructions: it calls the HSCIQ MCP API and implements search_code, get_code_detail, search_instance, and unified searches. However, the registry metadata declares no required environment variables while the SKILL.md and client code require an HSCIQ API key stored in a local .env.hsciq file — a metadata mismatch (likely an omission).
Instruction Scope
Runtime instructions and the included client script stay within the stated purpose: they read a local API key file, call HSCIQ endpoints, and return results. Trigger keywords and example commands are limited to customs/CIQ/port queries. The skill does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints.
Install Mechanism
There is no automatic install step in the registry (instruction-only skill). README suggests copying files into ~/.openclaw/skills and running the included hsciq-client.js. No downloads from third-party URLs or archive extraction are performed by the skill itself.
Credentials
The client needs a single API credential (HSCIQ_API_KEY) — appropriate for the service. But this required credential is not declared in the registry metadata. The SKILL.md and README ask the user to store the key in ~/.openclaw/workspace/.env.hsciq; the client searches multiple locations (two HOME-based paths and the current working directory), which is slightly inconsistent and could lead to accidental use of a .env file in the current directory. No unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true, does not alter other skills, and has no elevated system persistence. It merely suggests copying its files into the user's skills directory (user-controlled).
Assessment
This skill appears to do what it claims (call HSCIQ's MCP API) and requires one API key. Before installing: (1) Verify the API base URL (https://www.hsciq.com) and obtain the API key from that official site; (2) Be aware the registry metadata did not list HSCIQ_API_KEY — store the key in the file described (e.g., ~/.openclaw/workspace/.env.hsciq) and set file permissions (chmod 600) so it isn't world-readable; (3) Confirm you are comfortable giving the key the API’s allowed permissions (don’t reuse high-privilege keys); (4) Note the client searches multiple .env locations (including the current working directory) — avoid placing sensitive .env files in shared/project directories; (5) Optionally review the included hsciq-client.js yourself (it is short and readable) to confirm no unexpected behavior; (6) Ensure your Node runtime provides fetch or install a compatible Node version. If you want stronger assurance, ask the publisher to update the skill metadata to declare HSCIQ_API_KEY explicitly and to fix the minor path inconsistencies in the env-file lookup.
hsciq-client.js:27
Environment variable access combined with network send.
!
hsciq-client.js:33
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
classificationvk97c82evqssywbdh266q2kyj41830q8ecustomsvk97c82evqssywbdh266q2kyj41830q8ehs-codevk97c82evqssywbdh266q2kyj41830q8elatestvk97c82evqssywbdh266q2kyj41830q8emcpvk97c82evqssywbdh266q2kyj41830q8etradevk97c82evqssywbdh266q2kyj41830q8e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

HSCIQ MCP Skill

海关编码查询与商品归类服务,基于 HSCIQ MCP API。

功能

  • search_code - 按关键词搜索海关编码(支持中国/日本/美国)
  • get_code_detail - 获取海关编码详情(税率、申报要素、监管条件等)
  • search_instance - 按商品名称检索归类实例
  • search_unified - 统一搜索(CIQ 项目/危化品/港口信息)

触发条件

用户提到以下关键词时自动触发:

  • "海关编码"、"HS 编码"、"税号"、"商品编码"
  • "查询税率"、"申报要素"、"监管条件"
  • "CIQ"、"危化品"、"港口代码"
  • "归类实例"、"商品归类"

配置

API Key 存储在 ~/.openclaw/workspace/.env.hsciq

HSCIQ_BASE_URL=https://www.hsciq.com
HSCIQ_API_KEY=your_api_key

命令

# 搜索海关编码
hsciq search-code --keywords "塑料软管" --country CN

# 获取编码详情
hsciq get-detail --code "3926909090" --country CN

# 搜索归类实例
hsciq search-instance --keywords "电子产品" --country CN

# 搜索 CIQ 项目
hsciq search-ciq --keywords "食品"

# 搜索港口
hsciq search-port --keywords "上海"

使用示例

示例 1: 查询商品的海关编码

用户:帮我查一下"塑料软管"的海关编码
→ 调用 search_code,返回编码列表和税率信息

示例 2: 获取编码详情

用户:3926909090 这个编码的税率是多少
→ 调用 get_code_detail,返回完整税率、申报要素、监管条件

示例 3: 搜索归类实例

用户:看看别人是怎么归类"蓝牙耳机"的
→ 调用 search_instance,返回历史归类案例

API 文档

完整 API 说明:https://www.hsciq.com/MCP/Docs

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…