Back to skill
Skillv1.0.9
ClawScan security
Innovation Assistant by TRIZ · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 9:40 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and network calls match its stated TRIZ innovation analysis purpose; it sends user problem descriptions to a remote PatSnap/Eureka endpoint (so do not submit sensitive or confidential data).
- Guidance
- This skill is coherent with its description but transmits whatever you enter to a remote Eureka/PatSnap test endpoint (qa-eureka-service.zhihuiya.com). Before using it: (1) Do not paste confidential, proprietary, or NDA-covered technical details or personal data — the SKILL.md explicitly warns about this. (2) Verify you trust PatSnap/Eureka and review their data/privacy terms if you plan to submit IP-sensitive information. (3) If you want to test, use non-sensitive example problems first. (4) If you must analyze sensitive designs, do so offline or in an environment that does not allow outbound network calls, or block the MCP endpoint at the network level. (5) You can inspect the three scripts (they are short and readable) to confirm what is sent; they POST JSON-RPC payloads containing the user_input/idea_summary data to the stated URL. If any of these points are unacceptable, do not enable the skill.
Review Dimensions
- Purpose & Capability
- okName/description (TRIZ innovation analysis) align with the included scripts and references: the scripts call a TRIZ analysis MCP endpoint and the references describe the TRIZ workflow. Required tools (curl, jq) and the runtime behavior are appropriate and proportional to the stated purpose.
- Instruction Scope
- noteSKILL.md explicitly instructs the agent to send the user's problem descriptions, product info and selected problem data to an external service (qa-eureka-service.zhihuiya.com) for analysis, and to automatically invoke follow-up image/solution calls. This is expected for a cloud-assisted TRIZ tool, but it means all user-provided content is transmitted off-machine — the skill itself warns against sending confidential/NDA/export‑restricted data.
- Install Mechanism
- okNo install script or archive is downloaded; this is an instruction-only skill with three small helper shell scripts. The scripts simply use curl and jq to POST JSON-RPC to the remote MCP URL. There is no extract/download of arbitrary code or third‑party packages.
- Credentials
- okThe skill requires no environment variables, credentials, or config-path access. It only requires curl and jq (documented). No unexpected secrets or unrelated service credentials are requested.
- Persistence & Privilege
- okThe skill does not request persistent system presence (always:false) and does not modify other skills or system-wide settings. It will invoke the remote service autonomously when run, which is normal for this kind of skill.