Skillv1.0.3

ClawScan security

Skill Product · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 8:24 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (generating multilingual, platform‑adapted product descriptions) matches its declared API-based operation; it asks for one service credential and contains only local reference docs — nothing obviously malicious — but there are small metadata inconsistencies and some data-sharing implications you should be aware of.
Guidance: This skill appears to do what it says, but it relies on an external API (https://api.yunlvai.com) and requires a TRADEGPT_API_KEY: expect that any product specs or competitor text you paste will be sent to that service. Before installing or providing an API key: (1) confirm the registry metadata (there is a mismatch about whether an env var is required); (2) review yunlvai's privacy/terms to ensure pasted product or competitor content can be shared; (3) avoid sending sensitive or proprietary specs/price lists unless you're comfortable with that provider; and (4) use a dedicated API key scoped to this skill if possible and monitor usage/billing.

Review Dimensions

Purpose & Capability: okThe skill is a product-description generator and the SKILL.md + clawhub.yaml consistently describe an external TradeGPT API (api.yunlvai.com) and a single required credential (TRADEGPT_API_KEY). That API key is coherent with the stated purpose (remote content generation / translation / SEO assistance).
Instruction Scope: noteThe instructions operate on user-provided product parameters, optional competitor descriptions, and local reference docs. They do not instruct reading unrelated system files. However, the skill presumes sending product/competitor text (and implied SEO queries) to the yunlvai API — so users should expect their pasted content to be transmitted off‑device. The SKILL.md is somewhat high-level about how SEO metrics (search volume/competition) are obtained; likely via the external API but this is not explicitly described.
Install Mechanism: okThis is an instruction-only skill with no install spec and no binaries to download — lowest installer risk. All supporting resources are plain markdown files included in the bundle.
Credentials: noteThe skill declares a single external credential (TRADEGPT_API_KEY) which is proportionate for calling the yunlvai TradeGPT API. There is an inconsistency: the registry summary at the top of the report said 'Required env vars: none', but the SKILL.md and clawhub.yaml require TRADEGPT_API_KEY. Confirm which is authoritative before installing.
Persistence & Privilege: okThe skill does not request always:true and has no install hooks or system-wide modifications. It does not request elevated platform privileges.