Skillv1.0.3

ClawScan security

Skill Product · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 7:58 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (generating product descriptions) is plausible, but the package contains inconsistent metadata about required credentials and runtime behavior and leaves ambiguous whether user product data will be sent to an external API, so you should verify before installing.
Guidance: Before installing, confirm the following: (1) Does the skill actually call https://api.yunlvai.com at runtime? If so, you will be sending product content (possibly including sensitive commercial details) to that service — review its privacy/terms. (2) Why do SKILL.md and clawhub.yaml declare TRADEGPT_API_KEY and python3 while the registry summary says none are required? Ask the publisher to explain the mismatch and provide explicit runtime behavior (sample API request/response or clear statement that calls are optional). (3) If an API key is required, verify the minimum privileges of that key and whether you can revoke it. (4) Test with non-sensitive/sample data first. The skill appears coherent for its stated purpose, but the metadata inconsistencies and lack of explicit network-call instructions justify caution.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (B2B product description generation, multi-language, platform adaptation) matches the included templates and guides. However, embedded metadata (SKILL.md and clawhub.yaml) declare a primaryEnv TRADEGPT_API_KEY and a dependency on python3 while the registry summary at the top lists no required env vars or binaries — this mismatch is unexplained and reduces confidence in the declared requirements.
Instruction Scope: noteSKILL.md contains thorough, scoped instructions and reference files for generating product content and explicitly references resource files in the bundle. It does not include explicit, concrete runtime commands or sample network calls to the api.yunlvai.com endpoint, but the metadata claims the Yunlv TradeGPT API will be used. That makes it unclear whether (and when) user-provided product data will be transmitted to an external service.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk during install, which is lower risk.
Credentials: concernThe skill's internal metadata requests a single API credential (TRADEGPT_API_KEY) and declares python3 as a required binary. Requesting one API key is reasonable for a hosted content-generation service, but the top-level registry claims no env vars. The discrepancy is concerning. Also there is no clear justification in SKILL.md for requiring python3 for an instruction-only skill.
Persistence & Privilege: okThe skill is not marked always:true, and has no install hooks or code that would persist or modify other skills. It requires no system config paths or elevated privileges.