Skillv1.0.0

ClawScan security

Zhihu Keyword Content Search · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 1, 2026, 1:45 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill implements exactly what it says — a Zhihu keyword crawler — and its code, instructions, and requirements are coherent; the main risk is that it asks the user to supply a full Zhihu login cookie (sensitive), which is necessary for its functionality.
Guidance: This skill is coherent with its description, but it asks you to provide your full Zhihu login Cookie (a session token). That token can grant access to your account if leaked — only paste it into code you trust. Recommendations: (1) review the included zhihu_crawl.py locally before running; (2) run the script on an isolated or throwaway account if possible; (3) do not paste cookies into third-party web UIs or share them; (4) be aware of Zhihu's terms of service and rate limits; (5) ensure you have 'requests' installed in a controlled Python environment. If you are uncomfortable providing a full login cookie, do not install or run this skill.

Purpose & Capability: okThe name/description match the included Python script (zhihu_crawl.py) and README: the code searches Zhihu, ranks by answer count, fetches answers, and writes JSON/plaintext outputs. No unrelated binaries, services, or credentials are requested.
Instruction Scope: noteSKILL.md instructs running the provided script with a --cookie argument and explains how to copy the browser cookie. The instructions do not attempt to read unrelated system files or send data to third-party endpoints. However, asking users to paste their full browser Cookie is sensitive — it is within scope for accessing logged-in Zhihu APIs but should be handled cautiously.
Install Mechanism: okNo install spec; dependency is requests (not bundled). The skill is instruction+source-file only, so nothing is downloaded from external URLs or installed silently. Risk from install mechanism is low.
Credentials: noteNo environment variables or external service credentials are declared, which matches the registry metadata. The script requires a Zhihu login cookie passed as a CLI argument; this is necessary to access certain Zhihu APIs but is sensitive (session tokens). No unrelated credentials (AWS, GitHub, etc.) are requested.
Persistence & Privilege: okSkill does not request always:true and does not modify other skills or system-wide settings. It runs as a normal, on-demand script and writes only to the configured output directory.