Back to skill
Skillv1.0.2
ClawScan security
Skill Compliance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 8:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared inputs and runtime instructions are consistent with an import/export compliance helper that calls a vendor API; nothing requests unrelated credentials or performs unexpected system access.
- Guidance
- This skill appears coherent and limited to calling a vendor compliance API. Before installing, verify the vendor (https://yunlvai.com) is reputable, confirm what data will be sent to the external API (avoid sending confidential trade secrets or full contracts), restrict and rotate the TRADEGPT_API_KEY, review the provider's privacy and retention policies (especially for PII and export-control sensitive info), and confirm pricing/limits fit your needs. If you require legally binding advice, treat outputs as advisory and consult counsel.
Review Dimensions
- Purpose & Capability
- okName/description describe import/export compliance checks and the skill only declares a single external API (云旅AI TradeGPT) and a matching API key (TRADEGPT_API_KEY). Requesting an API key is proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md stays within scope: it describes taking product/party inputs, performing tariff/certification/sanctions/export-control checks, and reading the included reference markdown files when needed. It does not instruct reading unrelated system files, other env vars, or sending data to unexpected endpoints.
- Install Mechanism
- okInstruction-only skill with no install spec and no bundled code. No downloads or filesystem writes are specified, minimizing install-time risk.
- Credentials
- okOnly a single credential (TRADEGPT_API_KEY) is declared and used to call the vendor API. That is appropriate for a cloud-backed compliance service. No other secrets, keys, or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-level privileges or modification of other skills. It may be invoked by the agent (normal), but it does not request elevated presence.