Back to skill
Skillv0.0.1
ClawScan security
Juejin Article Trends · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (fetching juejin.cn categories and article rankings); it does not request credentials or install external code, though the manifest omits declaring that Node.js is required to run the bundled script.
- Guidance
- This skill appears to do what it says: it queries juejin.cn public APIs and prints JSON results. Before installing or running: (1) ensure you have Node.js available (the manifest didn't declare this but SKILL.md uses `node`); (2) review the included script yourself — it is small and network-only; (3) consider running it in an isolated environment if you are cautious; (4) be aware the script scrapes public API endpoints (rate limits or terms of service may apply), and the tool rotates User-Agent strings to avoid a fixed UA which is typical for scrapers but worth knowing.
Review Dimensions
- Purpose & Capability
- noteThe SKILL.md and scripts/juejin.js implement exactly what the description promises (fetch category list and ranked articles from juejin.cn). Minor inconsistency: the skill manifest lists no required binaries, but SKILL.md and the script expect Node.js (commands use `node scripts/juejin.js`).
- Instruction Scope
- okInstructions are narrowly scoped to running the included Node script to call juejin.cn public APIs. The script only performs HTTPS GET requests to juejin.cn API endpoints and does not read files, environment variables, or transmit data to unrelated endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only with an included script). Nothing is downloaded or written to disk by an installer; the only runtime requirement is an existing Node.js runtime to run the script.
- Credentials
- okThe skill requests no environment variables, secrets, or config paths. The code does not attempt to access credentials or other services beyond juejin.cn APIs.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or system settings. It behaves as a normal, on-demand helper.