Back to skill
Skillv1.0.0
ClawScan security
UpKuaJing SMS messaging tool, send bulk SMS and monitor delivery reports with instant task tracking. UpKuaJing helps marketers, sales teams, and operations reach customers globally, track SMS campaigns, and drive conversions — perfect for promotions, notifications, two-factor authentication, and client outreach. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 11:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required API key are consistent with an SMS-sending/tracking tool; it asks only for the expected API key and uses Python/httpx to call the upkuajing API, but it will create a ~/.upkuajing directory, cache version info, and contact the vendor for version checks.
- Guidance
- This skill appears internally consistent for sending and tracking SMS via UpKuaJing. Before installing, consider: 1) The skill will ask for and/or store your UPKUAJING_API_KEY (in environment or ~/.upkuajing/.env) — treat that key like a secret and ensure you trust the provider/account and its billing. 2) The code performs a daily version check by contacting openapi.upkuajing.com and caches results in ~/.upkuajing/version_cache.json; it may also write logs to ~/.upkuajing/logs if logging is enabled in the code. 3) SMS sends incur fees—the SKILL.md says it will always ask for explicit confirmation before billing actions; verify that behavior when you run it. 4) If you have concerns about third‑party code, run the scripts in a contained environment (virtualenv/container), inspect or pin the httpx dependency, and verify the provider homepage/contact information independently. If you want extra assurance, test read-only APIs (task list / record list) first before using auth.py to request or store a key or performing paid sends.
Review Dimensions
- Purpose & Capability
- okName/description (UpKuaJing SMS send & tracking) match the included scripts and docs. The single required env var (UPKUAJING_API_KEY) and python/httpx dependency are appropriate for calling the provider's REST API.
- Instruction Scope
- okSKILL.md instructs running the provided Python scripts, storing the API key in ~/.upkuajing/.env or env var, and obtaining a key via the included auth script. It does not instruct reading unrelated system files or other credentials.
- Install Mechanism
- okNo external downloads or installers; bundled Python scripts and a small requirements.txt (httpx) are provided. No use of URL shorteners or remote archives for installation.
- Credentials
- okOnly UPKUAJING_API_KEY is requested as a primary credential. The key is used as expected for API calls; no unrelated credentials or broad secrets are requested.
- Persistence & Privilege
- noteThe skill writes files under ~/.upkuajing (env, version_cache.json, optional logs if ENABLE_API_LOGGING is enabled) and creates a task_data directory in the skill folder. always:false (normal). The version check contacts the provider's endpoint and caches results—this is reasonable for update checks but does create persistent local state and network calls.