Skillv1.0.0

ClawScan security

警察执法资格考试助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 1:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely what it says (a local Python-based police exam assistant) and includes the expected data and code, but there are inconsistencies in the manifest and a detected 'unicode-control-chars' prompt-injection signal in SKILL.md plus a web module that wasn't fully visible — these warrant caution before installing.
Guidance: This package appears to be a self-contained Python-based exam assistant with large local question banks and is mostly coherent with its stated purpose, but proceed cautiously: 1) The SKILL.md contained unicode control characters (a prompt-injection signal). Ask the developer to provide a cleaned SKILL.md with no hidden/control characters and explain why they were present. 2) Inspect pqebot-web.py and start.py before installation to confirm whether they make network calls or send data externally; if you cannot review, install only in an isolated environment (no network) or sandbox. 3) Confirm you have Python 3 available (SKILL.md requires python3) — the registry summary contradicted this. 4) Do not provide any credentials or sensitive environment variables to this skill. 5) If you need stronger assurance, request the developer to document any external endpoints used and provide a line-by-line audit of network-related code; otherwise treat the skill as potentially exfiltrative and run it with network disabled.
Findings: [unicode-control-chars] unexpected: SKILL.md was flagged for unicode control characters (prompt-injection pattern). Hidden control characters are not needed for an exam assistant and can be used to obfuscate or manipulate prompt processing — treat as suspicious and request a sanitized SKILL.md.

Review Dimensions

Purpose & Capability: noteName/description match the included files: large local question banks, exam outline, knowledge points, and Python scripts (pqebot-core.py, pqebot-web.py, start.py). The SKILL.md declares a Python requirement (openclaw.requires.bins: ['python3']), which is coherent with the included .py files. However, the top-level metadata in the provided registry summary said 'Required binaries: none' while SKILL.md requires python3 — a mild inconsistency in declared requirements.
Instruction Scope: concernSKILL.md is mostly configuration and triggers; pqebot-core.py (shown) reads local JSON data and manages sessions (no obvious exfiltration). However: (1) a web module (pqebot-web.py) is included but its contents were truncated in the review — that file could perform network requests; (2) the SKILL.md was flagged for unicode control characters (prompt-injection pattern) which may be an attempt to hide or manipulate LLM instructions. Together these raise scope concerns — especially around any undisclosed network activity or hidden instructions.
Install Mechanism: noteThere is no external download URL and the bundle includes all code and data files. The SKILL.md contains an openclaw.install entry ('id: skill-files'), so skill files will be written to disk when installed. This is expected for a code-based skill and is lower risk than fetching remote executables, but it does create persistent files on disk.
Credentials: okNo environment variables or credentials are required and the visible code reads only local data files. The requested environment access appears proportional to the stated purpose. Still, because a web module is present, verify whether it uses network credentials or external endpoints before granting broader permissions.
Persistence & Privilege: okalways:false and no elevated platform-wide privileges are requested. The skill will install files into the agent's skill directory (normal for a code-based skill) and can be invoked by the model (default behavior). There is no evidence it modifies other skills or system-wide settings.