Back to skill
Skillv1.0.5
ClawScan security
Skill Guangjiao · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 30, 2026, 9:58 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (Canton Fair lead discovery) aligns with most of its instructions, but there are metadata inconsistencies (registry vs SKILL.md) and trust-on-call claims about contact data that merit verification before installation.
- Guidance
- This skill mostly does what it says (query a vendor API to find Cant on Fair leads), but check two things before installing: (1) Confirm the required API key: SKILL.md and clawhub.yaml require TRADEGPT_API_KEY, but the registry snapshot showed none — ensure the platform will prompt for and restrict that key. (2) Verify the provider's privacy/behavior: the skill claims contact details are not forwarded to third parties and that contact info is 'only shown locally', yet the API is said to return contact info. Ask the vendor (or test) whether the API returns contact data and whether it is logged or stored server-side. Practical steps: use a limited-scope/test API key, inspect the ./data/yunlv-skills/cantonFair/ files after a test run to confirm what is persisted, review yunlvai.com's privacy/API docs, and avoid granting broader credentials or network access than necessary. If you cannot verify these points, treat the skill as untrusted.
Review Dimensions
- Purpose & Capability
- noteThe name, description, and SKILL.md consistently describe querying Canton Fair exhibitor data via the yunlvai MatchGPT API — requiring an API key (TRADEGPT_API_KEY) is proportionate. However, the registry summary at the top of the package report lists 'Required env vars: none' while both SKILL.md and clawhub.yaml declare TRADEGPT_API_KEY as required/primaryEnv. This metadata mismatch is an incoherence that should be resolved (likely an authoring/packaging error).
- Instruction Scope
- noteSKILL.md instructs the agent to send query parameters to https://api.yunlvai.com, receive match results, perform filtering/matching locally, and write structured outputs under ./data/yunlv-skills/cantonFair/. These actions match the stated purpose. Two points to verify: (1) the skill repeatedly asserts that contact details are 'not sent to external' or 'only shown locally' while also saying the API can return contact info — this requires trusting the remote API's handling and the wording is ambiguous; (2) the skill writes local files (queries, leads, messages, logs) which may contain contact-related data unless the implementation truly omits them as claimed.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files to execute. That minimizes install-time risk (nothing downloaded or executed).
- Credentials
- noteThe declared credential (TRADEGPT_API_KEY) is appropriate for a remote MatchGPT API. The only concern is the inconsistent registry metadata (top-level 'Required env vars: none' vs explicit TRADEGPT_API_KEY in SKILL.md/clawhub.yaml). Confirm which metadata the platform will enforce. No other unrelated credentials or secrets are requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and only describes writing files under a local subpath. That level of persistence is proportional for its function. Still verify what actually gets written to ./data/yunlv-skills/cantonFair/ in your environment.