Back to skill
Skillv1.0.1
ClawScan security
采招网招标查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 10:59 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (querying bidcenter.com.cn), it requires no credentials or installs, and its network calls are limited to the declared API endpoint.
- Guidance
- This skill appears coherent and limited to querying bidcenter.com's public interface: it makes POST requests to the declared API and uses an embedded AES key to decrypt responses. It does not request any secrets or install additional software. Consider that (1) the embedded decryption key/IV are necessary to parse the provider's encrypted responses — this is normal but means the code contains static crypto material; (2) the remote API may change, be rate-limited, or require paid VIP access for some data; and (3) the skill relies on fetch being available in the runtime environment. If you need guaranteed uptime or access to paid data, verify with the data provider or use an official API key/service instead.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the JS code builds POST requests to interface.bidcenter.com.cn, parses and AES-decrypts the response, and returns structured bid results. There are no unrelated credentials, binaries, or external services requested.
- Instruction Scope
- okSKILL.md instructs calling scripts/main.js's execute(input) and documents parameters and outputs. The instructions do not ask the agent to read local files, environment variables, or to transmit data to any endpoint other than the bidcenter API used by the code.
- Install Mechanism
- okNo install spec is provided (instruction-only with a bundled script). Nothing is downloaded or written to disk during install; the single bundled JS file performs runtime network requests only.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The code uses only a hard-coded API URL, referer, and user-agent; the embedded AES key/IV are present to decrypt the site responses—this is consistent with the stated purpose.
- Persistence & Privilege
- okThe skill does not request persistent/always-on presence (always: false) and does not modify other skills or system configuration. It runs on demand and only issues network requests to the declared API.