Back to skill
Skillv1.0.0
ClawScan security
Mysteel_PriceSearch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 11:35 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This skill's code and instructions align with its stated purpose (querying Mysteel price data), it calls Mysteel's API and writes CSVs into its own output directory and does not request unrelated credentials or system access.
- Guidance
- This skill appears to do what it claims: it sends queries to https://mcp.mysteel.com and saves results as CSV files in the skill's output/ directory. Before installing: (1) add your Mysteel API key (one-line) to references/api_key.md as the script expects, not as an environment variable; (2) confirm you trust the Mysteel endpoint and that the API key has only the permissions you intend; (3) be aware the skill will create and periodically delete CSV files under its folder (cleanup of files older than ~24h and pruning beyond max_files); (4) there is no other credential or system access requested. If you need higher assurance, ask the author to (a) document API key setup in SKILL.md and (b) explicitly declare credential handling in registry metadata.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: scripts/search.py calls a Mysteel AI search endpoint to fetch commodity, macro, and market data and saves results as CSV. There are no unrelated binaries, credentials, or permissions requested.
- Instruction Scope
- noteSKILL.md instructs running scripts/search.py and to use local shell tools to inspect CSV output. It also warns not to 'Read' entire CSVs. One small gap: SKILL.md does not explicitly tell the user how to provide the required API key file (references/api_key.md is present but empty); the script expects an API key in that file and will fail or return API errors without it.
- Install Mechanism
- okNo install spec is provided (instruction-only with an included script). No packages or remote downloads are performed by the skill itself, so on-install risk is low. The script will be executed by the agent when invoked.
- Credentials
- noteThe skill does not request environment variables or external credentials via registry metadata, but the script reads an API key from references/api_key.md and uses it as the 'token' header to the Mysteel endpoint. This file-based credential approach is reasonable but undocumented in SKILL.md; users should be aware to place only the Mysteel API key there and not other secrets.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges. It writes and deletes CSV files under its own output directory and removes old/excess files there; it does not modify other skills or system configs.