Back to skill
Skillv1.0.3
ClawScan security
Volcengine SDK Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 6:41 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its stated purpose (generating Volcengine SDK code and configuration guidance); it is instruction-only, requests no credentials, and does not perform unexpected actions.
- Guidance
- This skill appears coherent and focused on producing Volcengine SDK code and configuration guidance. Before using: (1) Do not paste long‑lived AK/SK credentials into chat — prefer temporary STS tokens or OIDC; (2) review any generated code before running it, especially examples that disable SSL verification, set HTTP proxies, or change endpoints; (3) the skill will call Volcengine's API Explorer endpoints (network requests to api.volcengine.com) to look up service/actions — ensure this behavior is acceptable in your environment; (4) if you want the skill to include credentials in generated examples, explicitly provide them (prefer temporary/test values) and avoid supplying production secrets. No suspicious or unrelated access patterns were detected.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: the SKILL.md explains how to map a user request to a Volcengine service/action and generate SDK code in Go/Python/PHP/Java/Node. It requires no unrelated binaries, credentials, or config paths — everything requested (calling Volcengine API Explorer, producing SDK config examples) is proportional to the stated purpose.
- Instruction Scope
- noteRuntime instructions are focused: parse user intent, look up service/version/action via Volcengine's API Explorer, and generate code and configuration guidance. The SKILL.md includes many example snippets that reference environment variables and token-file patterns (AK/SK, STS, OIDC file path), but the skill does not instruct the agent to automatically read host environment variables or files. Recommendation: the agent should prompt the user for any credentials or file paths rather than scavenging them from the host environment.
- Install Mechanism
- okThis is an instruction-only skill with no install specification and no code files executed on the host. That minimizes on-disk installation risk.
- Credentials
- noteThe skill declares no required environment variables or secrets. Example code uses typical Volcengine env var names (VOLCENGINE_ACCESS_KEY, VOLCSTACK_*, session token, proxy vars). These are expected for SDK integration, but the skill does not require them. Users should avoid pasting long-lived credentials into prompts and prefer temporary STS/OIDC where possible.
- Persistence & Privilege
- okalways is false and the skill requests no config paths or system changes. It does not request permanent presence or system-level privileges.