Back to skill
Skillv1.0.1
ClawScan security
volcengine-api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 1:27 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (answering Volcengine API questions) matches its instructions (querying Volcengine's API Explorer); it is an instruction-only skill that asks for no credentials or installs and has no obvious scope creep.
- Guidance
- This skill is internally coherent: it queries Volcengine's documented API Explorer and returns API spec details, and it does not request credentials or install code. Before installing, confirm that outbound network access to api.volcengine.com is acceptable in your environment. Avoid pasting any secrets or private credentials into queries you ask the skill to process (the skill will forward user-provided query text to the public API). Also be cautious about handoffs: the SKILL.md delegates SDK/CLI work to other skills (volcengine-sdk-generator, volcengine-cli); review those skills separately before using them.
Review Dimensions
- Purpose & Capability
- okThe name/description say it will answer questions about Volcengine API specs; the SKILL.md contains step-by-step queries to Volcengine's API Explorer endpoints (services, versions, apis, api-swagger) which is exactly what a spec-querying skill needs. No unrelated binaries, env vars, or config paths are requested.
- Instruction Scope
- okInstructions are limited to calling Volcengine API Explorer endpoints, parsing Swagger/OpenAPI responses, and returning API details (params, enums, responses, errors). The skill does not instruct reading local files, system credentials, or transmitting data to unexpected endpoints. It does reference handing off to other Volcengine-related skills for SDK/CLI tasks, which is reasonable.
- Install Mechanism
- okThere is no install spec and no code files; this is instruction-only so nothing is written to disk and no external packages are fetched during install.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The API Explorer endpoints shown are queried without any declared auth; if those endpoints actually require credentials, the SKILL.md does not request them, but that is an implementation detail rather than an incoherence with the stated purpose.
- Persistence & Privilege
- okThe skill is not forced-always and does not request elevated persistence. disable-model-invocation is false (normal). It does not attempt to modify other skills or system-wide settings.