Skillv1.0.1

ClawScan security

Byted Market Insight Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 21, 2026, 7:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill mostly implements what it claims (Gateway/SDK switching for Volcengine Insight) but has a few security-relevant behaviors that are surprising or require user attention: it scans shell rc files, can auto-install a Python SDK, and persists credentials in plaintext under persist/, plus debug logging may print response bodies.
Guidance: This skill appears to implement a legitimate Volcengine Insight client, but you should be aware of and accept a few privacy/security tradeoffs before installing: - It will look for credentials in your environment and will read simple `export VAR=VALUE` lines from shell rc files in your home directory (only specific ARK_/VOLCSTACK_ variables). If you keep secrets in rc files, they may be discovered by the skill. - If no credentials are available, the skill will persist credentials you (or the agent) provide into persist/auth.json in the skill folder — unencrypted. If you do not want credentials written to disk, do not use the minimal-ask flow or remove/secure that file after use. - The skill may auto-install the official `volcengine-python-sdk` via pip when the SDK path is needed. If you wish to avoid on-the-fly installs, run in an isolated environment or pre-install the SDK yourself; check for an env var like MARKET_INSIGHT_AUTO_PIP to disable auto-install (quick_validate references this var). - Debug logs include a snippet of HTTP response bodies (up to 500 chars), which could reveal sensitive data. If you run this in a shared or production environment, redirect or suppress debug output and inspect gateway_provider._debug_response_summary behavior. Recommended mitigations before use: 1) Review the code (auth_resolver.ensure_sdk_available and logging) in full and decide whether to allow auto pip installs. 2) Run the skill in an isolated virtualenv/container and pre-install the SDK if needed. 3) Ensure persist/ is placed on secure storage (or remove persist/auth.json and persist/state.json when finished), and restrict file permissions. 4) Avoid storing other secrets in your rc files, or remove those exports before running the skill. 5) If you require stronger protections, request the vendor provide an option to store credentials encrypted or to disable persistence and rc scanning. If you want, I can point out the exact lines that log response bodies and the locations where the skill writes credentials so you can audit or patch them.

Review Dimensions

Purpose & Capability: okName/description align with the code: client exposes list_custom_subs_task / pull_post / query_clue_info and the code expects either an API Gateway (ARK_SKILL_API_BASE / ARK_SKILL_API_KEY) or official SDK (VOLCSTACK_ACCESS_KEY_ID / VOLCSTACK_SECRET_ACCESS_KEY). Requested env vars and providers are coherent with the declared purpose.
Instruction Scope: concernSKILL.md and code instruct the agent to read environment variables, read simple `export` lines from common shell rc files (~/.bashrc, ~/.zshrc, etc.), and persist state/credentials to persist/*. The code also prints a debug snippet of HTTP response bodies (gateway_provider._debug_response_summary) which could expose sensitive response contents despite claims of log sanitization.
Install Mechanism: noteRegistry has no install spec (instruction-only), but auth_resolver declares it will attempt to auto-install the `volcengine-python-sdk>=5.0.22` (pip). Auto pip install from PyPI is a moderate-risk behavior (expected for using the SDK, but it modifies the runtime environment). The package source appears to be the public package name, not an arbitrary URL.
Credentials: noteThe skill only requests credentials relevant to the stated providers (ARK_* and VOLCSTACK_*). However it will scan users' home rc files for those variables (read-only) and will persist credentials provided via 'minimal ask' into persist/auth.json in plaintext. Both behaviors are functional but increase exposure of secrets on disk and during logging.
Persistence & Privilege: concernSkill persists state and user-supplied credentials to persist/state.json and persist/auth.json under the skill root. Persisting sensitive credentials in plaintext is a notable risk. The skill is not marked always:true and does not modify other skills, but plaintext storage and auto-install behavior increase its persistence/privilege impact.