Skillv1.0.0

ClawScan security

智灵大数据搜索 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 11:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with its stated purpose (calling a Zeelin search API), but it expects you to provide and trust an external API URL and stores results/keys in local files — review those before use.
Guidance: This skill appears to do what it says: convert user queries to JSON, sign requests, call a Zeelin search API, show results, and save the full JSON to a file. Before installing or using it: (1) verify the Zeelin_Api_Url/Zeelin_Website_Url you will configure are correct and trusted (the skill does not validate them); (2) avoid putting highly sensitive or reused secrets into the config file—use a dedicated API key; (3) be aware the API key will be sent as headers to the configured endpoint and the full API response will be written to your user directory (check where files are saved and who can read them); (4) if you are unsure about the configured endpoint, test with a non-privileged key or a safe staging URL first. If you want, I can help review the specific Zeelin_Api_Url you plan to use or suggest safer ways to store the key.

Review Dimensions

Purpose & Capability: okName/description, templates, and SKILL.md all describe a natural-language→JSON conversion module plus a call to a Zeelin search API using a configured API key. Requested capabilities (reading templates, converting NL to JSON, signing requests, POSTing question_name, printing results, and saving JSON results) are appropriate for that purpose.
Instruction Scope: noteThe SKILL.md instructs the agent to read templates/config.json and two reference docs, convert user input to JSON, generate HMAC-SHA256 signatures with Zeelin_Api_Key, call Zeelin_Api_Url, and write the full API response as a JSON file into the user directory. These actions match the skill purpose, but the skill explicitly does not validate Zeelin_Api_Url or Zeelin_Website_Url (it only checks Zeelin_Api_Key), which means a misconfigured or malicious URL could receive requests and data.
Install Mechanism: okThis is an instruction-only skill with no install spec and no downloaded code. No packages or external installers are pulled in by the skill bundle.
Credentials: noteThe skill declares no environment variables and instead reads an on-disk templates/config.json for Zeelin_Api_Key/URL. Requiring a service API key is proportionate, but storing the key in a plaintext config file in the skill path and sending it as an HTTP header to the configured endpoint are meaningful privacy/security considerations—ensure the configured URL is trusted and the key is not reused for other services.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent system privileges. It does instruct writing result files to the user's directory and reading/writing its own template/config files (normal for an instruction-only skill).