HSCIQ MCP - 海关编码查询
ReviewAudited by ClawScan on May 12, 2026.
Overview
This looks like a legitimate HSCIQ customs-code client, but it tells the agent to automatically submit product details and images for external human review without an explicit confirmation step.
Install only if you are comfortable giving this skill an HSCIQ API key and sharing selected product details/images with HSCIQ. Before any consultation form, image upload, discussion reply, or paid option, require the agent to show the exact data and get your explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create a consultation record and send product details or images to HSCIQ and its human reviewers before the user clearly confirms that external submission is intended.
The instructions tell the agent to automatically submit product information and images to create an external consultation form when the AI is uncertain, without an explicit approval checkpoint.
→ 调用 create_guilei_form,自动提交产品信息与图片,生成归类咨询单
Require explicit user confirmation before calling create_guilei_form, uploading images, posting discussion messages, or using any paid/consultation-related option; show the destination and exact fields/files first.
Anyone with access to the configured API key may be able to use the user's HSCIQ account capabilities exposed by the API, including viewing or creating consultation-related data.
The client uses the stored HSCIQ API key as delegated account authority for tool calls, which is expected for the service but sensitive.
headers: { 'Content-Type': 'application/json', 'X-API-Key': CONFIG.apiKey }Use a dedicated HSCIQ API key, store it only in trusted local config or environment variables, and rotate it if exposed.
Product images and related business details may leave the local device and be shared with the HSCIQ provider and human classification experts.
The client reads selected local image files, base64-encodes them, and includes them in the API call for consultation creation.
const data = fs.readFileSync(imgPath); ... data: data.toString('base64')Upload only files the user intentionally selected and is comfortable sharing externally; avoid confidential images or private documents.