v1.0.0

Mysteel_BidSupply

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:12 AM.

Analysis

The skill appears purpose-aligned for Mysteel steel bidding and supply/demand searches, with the main cautions being local API key storage and outbound requests to Mysteel.

GuidanceThis skill looks coherent for querying Mysteel bidding and steel supply/demand data. Before using it, be comfortable with sending search queries to Mysteel and with storing the API key locally in references/api_key.md; protect that file and rotate the key if it may have been exposed.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityInfoConfidenceHighStatusNote

scripts/bidding_api.py

url = "https://mcp.mysteel.com/mcp/info/vector/rag-search" ... response = requests.post(url, headers=headers, json=payload, timeout=30)

The script sends user search terms and parameters to a fixed Mysteel API endpoint. This is purpose-aligned and bounded, but it is still an external API call users should expect.

User impactSearch terms, time ranges, and related query parameters may be shared with Mysteel when the skill is used.

RecommendationUse the skill only for queries you are comfortable sending to Mysteel, and avoid including unnecessary confidential business details in search text.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/bidding_api.py

api_key_file = script_dir / "references" / "api_key.md" ... api_key_file.write_text(api_key.strip(), encoding="utf-8")

The code persists the user's API key in a local file under the skill directory. The behavior is disclosed and used for Mysteel authentication, but it creates a local credential that needs protection.

User impactAnyone or any process with access to the skill directory may be able to read the saved Mysteel API key.

RecommendationUse a dedicated or limited-scope API key if possible, restrict access to references/api_key.md, and delete or rotate the key when it is no longer needed.