Skillv1.0.0

ClawScan security

Blueprint Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 3:39 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description (UE 蓝图/材质生成器) is plausible, but the runtime instructions reference an external AI gateway and require an API key and many source files that are not present in the package — these mismatches make the skill's requirements and behavior unclear and potentially risky.
Guidance: Do not supply any API keys or secrets to this skill yet. The package lacks the source files and build artifacts the SKILL.md refers to, and the metadata does not declare the API_KEY that the instructions require — this is an incoherence. Before installing or using: 1) ask the publisher for the full source repository or a verified release (including the referenced src/ files and package.json); 2) verify the legitimacy of minimaxi.com and the deployment domain (search for official docs or contact the provider); 3) avoid hardcoding credentials into source files—use environment variables or a secrets manager if you proceed; 4) if you must test, do so in an isolated environment or sandbox and monitor outbound network traffic to the listed endpoints. If the publisher cannot provide provenance or the missing code, avoid installing or granting any credentials.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes a web app that calls a third‑party AI gateway (api.minimaxi.com) and lists many src/ files and npm scripts, but the package contains only SKILL.md and one example JSON. The registry metadata declares no required env vars or credentials even though the instructions require an API key and API base. Asking agents to run npm scripts and edit src files that are not included is incoherent with the provided artifact.
Instruction Scope: concernInstructions direct runtime use of an external endpoint (https://api.minimaxi.com/v1) and tell developers to put an API_KEY into src/api.ts and src/api/material.ts. They also instruct working under /workspace/blueprint-generator and running npm commands. Those actions imply reading/writing project files and network communication; given the package lacks the referenced code, the instructions grant broad discretion with unclear justification.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing will be written or downloaded by an installer — low install risk. However, the SKILL.md points to an unfamiliar deployment domain (ncvbhgghna86.space.minimaxi.com) and an external API gateway; network calls to those endpoints are required at runtime and should be considered when assessing risk.
Credentials: concernThe skill will require an API key for the MiniMax gateway (the SKILL.md shows API_KEY and API_BASE), but the skill metadata lists no required environment variables or primary credential. This mismatch is significant: the skill asks for a secret (MiniMax API key) without declaring it, and the instructions encourage placing the key directly into source files (hardcoding), which increases the risk of accidental exposure or exfiltration to the external API.
Persistence & Privilege: okThe skill is not marked always:true and does not request any system-level persistence or configuration changes. It does not declare modifications to other skills or global agent settings.