Back to skill
Skillv1.0.0
ClawScan security
施工建材采招助手-鲁班乐标 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 9:00 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose, runtime instructions, and required credential (ZLBX_API_KEY) are consistent: it calls a third‑party API to return price trends and top suppliers for construction materials and does not request extra privileges or install code.
- Guidance
- This skill is internally coherent: it needs only one API key and its instructions match the documented endpoints. Before installing, verify the third‑party service (mcp-server.zhiliaobiaoxun.com / ai.zhiliaobiaoxun.com) is trustworthy — the registry metadata lists no homepage or source. Limit the API key's permissions if possible, monitor its usage, and avoid sharing a high‑privilege credential. If you need stronger assurance, ask the publisher for an official homepage, privacy/retention policy, and expected data fields sent to their API.
Review Dimensions
- Purpose & Capability
- okName/description require price trends and top-brand/supplier data for construction materials; SKILL.md documents matching API endpoints (get_price_trends, get_top_brands, get_top_suppliers, etc.) and a single API key (ZLBX_API_KEY). The requested credential aligns with the stated purpose.
- Instruction Scope
- okInstructions only describe making POST requests to https://mcp-server.zhiliaobiaoxun.com/api_v2/{tool} with header X-API-Key and expected request/response schemas. There are no instructions to read unrelated files, system configuration, or other environment variables, nor to transmit data to unrelated endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. Nothing is written to disk or downloaded by the skill itself according to the provided artifacts.
- Credentials
- okOnly a single API credential (ZLBX_API_KEY) is required and declared as the primary credential. This is proportionate to the described external API usage; no unrelated secrets or system config paths are requested.
- Persistence & Privilege
- okalways:false and no privileged install behavior. The skill is user-invocable and can be called autonomously (disable-model-invocation:false) which is the platform default and acceptable here given the limited scope and single API key requirement.