Back to skill
Skillv1.1.2
ClawScan security
乐有家找房 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 12:57 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it only needs curl and an LYJ_API_KEY to call Leyoujia APIs and its instructions match that purpose.
- Guidance
- This skill appears to do exactly what it claims: use your Leyoujia API key to query Leyoujia endpoints via curl. Before installing, ensure the API key you provide is obtained from the official Leyoujia site and limit its scope if possible. Note the SKILL.md may read LYJ_API_URL if set — if you do not want a custom base URL used, leave LYJ_API_URL unset. Avoid supplying unrelated secrets or keys (the skill only needs LYJ_API_KEY). If you are in a shared environment, consider creating a dedicated, limited key for this skill and monitor its usage.
Review Dimensions
- Purpose & Capability
- okName/description and runtime instructions all describe making API calls to Leyoujia endpoints; the only declared requirement is an API key and curl, which is appropriate for this purpose. Minor note: the SKILL.md refers to an optional LYJ_API_URL env var for overriding the base URL, while the registry metadata lists only LYJ_API_KEY.
- Instruction Scope
- okSKILL.md instructs the agent to build JSON requests and POST to wap.leyoujia.com endpoints with X-Api-Key header. It does not instruct reading unrelated system files or other credentials, nor sending data to third‑party domains outside the Leyoujia domain.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill that uses existing curl binary. Lowest install risk.
- Credentials
- noteRequesting a single API key (LYJ_API_KEY) is proportionate. Small inconsistency: the documentation mentions LYJ_API_URL may be injected/used, but LYJ_API_URL is not declared in the registry's required env list; the agent might read that env if present.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated platform privileges. It will make outbound HTTP requests using the provided key, which is expected behavior.