Back to skill
Skillv1.0.2
ClawScan security
Skill Customs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 8:16 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill appears to do what it says: it queries the Yunlv (api.yunlvai.com) customs/trade data service using a single API key and produces scored lead lists and outreach templates; nothing in the files suggests covert or unrelated behavior.
- Guidance
- What to check before installing: - The skill calls api.yunlvai.com and requires a TRADEGPT_API_KEY: only provide an API key you trust and understand billing/pricing. Verify the vendor (https://yunlvai.com) and subscription terms. - The skill generates and stores leads and outreach content locally under ./data/yunlv-skills/customsScout/ — review and secure that folder if it will contain PII. - The skill helps produce contact messages (email/WhatsApp/LinkedIn). Sending outreach carries legal obligations (GDPR, CAN-SPAM, local laws) — do not auto-send messages without human review and consent checks. - Metadata inconsistencies: the registry summary and the packaged files disagree about required env and version numbers; confirm which fields the platform will enforce (you should expect to need TRADEGPT_API_KEY). - If you need higher assurance, ask the publisher for: an official privacy/data-processing statement, sample API request/response examples, and confirmation of how contact-matching/enrichment is performed and what sources are used.
Review Dimensions
- Purpose & Capability
- noteThe skill's name, description, SKILL.md and clawhub.yaml consistently describe customs/trade-data mining and declare a single API (https://api.yunlvai.com) protected by TRADEGPT_API_KEY — this is proportionate to the stated purpose. Minor inconsistencies: the top-level summary in the registry header showed "Required env vars: none" while the bundled files declare TRADEGPT_API_KEY as required, and SKILL.md lists version 1.0.0 whereas the registry shows 1.0.2. These are metadata mismatches but do not change functional coherence.
- Instruction Scope
- noteSKILL.md is instruction-only and stays within expected scope: querying customs records, enriching/matching contact info, scoring leads, producing reports and outreach templates, and storing outputs under a local ./data/yunlv-skills/customsScout/ path. It explicitly directs generation of contact messages (email/WhatsApp/LinkedIn) and storing leads/reports locally. There are no instructions to read unrelated system files or other credentials. Note: generation and use of PII (contact emails/phones) and automated outreach have legal/privacy implications (GDPR/CAN-SPAM) which the skill itself references — this is appropriate but requires user caution.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest-risk install mechanism: nothing is downloaded or written by an installer beyond what the agent itself does at runtime.
- Credentials
- noteThe skill declares one primary credential TRADEGPT_API_KEY to authenticate to the Yunlv API — this is appropriate and proportional to a remote data service integration. As noted above, there is an inconsistency between the registry summary (which said no required env) and the packaged metadata which requires TRADEGPT_API_KEY; verify that the platform will prompt for that key before use and that you supply a key only if you trust the vendor.
- Persistence & Privilege
- okalways: false and no elevated privileges requested. The skill defines local storage paths for queries/reports/leads/logs under its own data directory (./data/yunlv-skills/customsScout/) — this is reasonable for a reporting/lead-generation skill. Autonomous invocation is allowed by default (disable-model-invocation:false) which is normal; there is no evidence the skill modifies other skills or system-wide configuration.