Skillv1.0.0

ClawScan security

Mysteel_MarketAnalysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 11:32 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (calls Mysteel internal API using a local API key file and expands the returned report), but there are a few incoherences and small risks (undeclared required config path, plaintext key file, missing install step for requests) that warrant caution before installing.
Guidance: This skill is coherent with its stated purpose (calling Mysteel's analysis API and expanding the returned report), but take these precautions before installing: 1) Confirm you actually trust the endpoint https://mcp.mysteel.com and that you are allowed to send queries and confidential data to it. 2) Be aware the API key is stored in plaintext at references/api_key.md; consider storing secrets in a secure vault instead of a repo file. 3) The registry metadata omits that references/api_key.md is required—verify and update metadata or deployment procedures to avoid surprises. 4) Ensure the runtime has requests==2.31.0 installed or the script will fail. 5) If you do not have a Mysteel API key or don’t trust the source, do not provide a key; the skill enforces not answering without a valid key. If you want higher assurance, request the publisher to fix the metadata (declare the required config path), remove the plaintext key requirement, and document the exact API behavior and privacy guarantees.

Review Dimensions

Purpose & Capability: noteName/description match the code and instructions: the skill queries a Mysteel analysis endpoint and returns/expands a Markdown report. However, the registry metadata claims no required config paths or env vars while the SKILL.md and scripts/analyze.py require a specific local file (references/api_key.md) containing the API key. This metadata omission is an inconsistency that should have been declared.
Instruction Scope: okRuntime instructions are constrained: read a specific references/api_key.md file, construct a query, and run scripts/analyze.py which POSTs to https://mcp.mysteel.com. The skill does not instruct reading arbitrary system files or exfiltrating data to unexpected endpoints. It also enforces not answering without a valid API key.
Install Mechanism: noteThere is no install spec (instruction-only) which reduces risk, but the SKILL.md declares a Python dependency (requests==2.31.0) while no installer is provided—if the runtime lacks that package the script will fail. No downloads or external installers are present.
Credentials: concernThe skill requires a sensitive API key, but it expects the key in a plaintext file at references/api_key.md (not declared in registry metadata). The key is not requested via environment variables but stored/read from disk; storing secrets in a plaintext file is a confidentiality risk. The script error messages also reference an inconsistent identifier (MYSTEEL_CLAW_APIKEY), a minor red flag for sloppy documentation.
Persistence & Privilege: okThe skill does not request persistent/always-on privileges and does not modify other skills or system-wide settings. It only runs the provided script when invoked.