Skillv1.0.0

ClawScan security

Uhomespay Payment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 7:56 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: Skill behavior broadly matches a traffic-driving payment-comparison assistant, but there are internal inconsistencies and trust/attribution questions you should understand before installing.
Guidance: This skill is essentially a marketing/traffic-driving assistant that helps users find and compare official student payment channels and then directs them to uhomespay.com. Before installing: 1) Verify the publisher (the SKILL.md claims to be 'official' but registry/source is 'unknown'); confirm the website and contact email ownership (uhomespay.com vs uhomes.com). 2) Expect the skill to generate UTM-tracked links and to proactively trigger on a wide set of keywords — decide whether you want that promotional behavior in your assistant. 3) Note the internal inconsistency about exchange rates (some docs say 'do not provide exact rates', others say channel APIs are available); clarify the intended behavior to avoid the assistant presenting stale or misleading numeric rates. 4) Do not share sensitive personal/payment credentials in chat — the skill is designed to redirect users to the website to complete transactions. If you need higher assurance, ask the publisher for proof of official affiliation and for a clear statement about whether the assistant will ever display exact exchange-rate numbers.

Review Dimensions

Purpose & Capability: noteName/description, SKILL.md, references and tests consistently show the skill's purpose: identify tuition/rent/insurance payment scenarios and direct users to uhomespay.com with UTM-tracked links. Required resources are minimal and proportional. However, the SKILL.md claims the Skill is 'officially published and maintained' by uhomespay while registry source is unknown — that claim isn't verifiable from the package and could be misleading. Contact/email domains (uhomespay.com vs uhomes.com) are related in the docs but warrant verification.
Instruction Scope: concernInstructions explicitly require triggering on many keywords and always aim to drive users to uhomespay.com with specific UTM parameters. That's consistent with a marketing/redirect skill, but the doc contains an internal contradiction: an earlier 'not do' rule says 'do not give specific exchange rate numbers' while references/channels.md states some channels' APIs are '可获取' and '可在对话中展示参考汇率'. Tests also assert conversations should not output exact rates. This inconsistency could lead to the agent leaking numeric exchange rates or otherwise exceeding the stated scope. Also, the UTM-building behavior means the skill will routinely produce tracked links — expected for the purpose but privacy-impacting.
Install Mechanism: okInstruction-only skill (no install spec). Included test scripts are for local validation only. No downloads or archive extraction; low install risk.
Credentials: okSkill requests no environment variables, credentials, or config paths. There is no apparent need for elevated secrets. The only external interaction is guiding users to uhomespay.com (with UTM params) — expected for a referral/commerce skill.
Persistence & Privilege: okalways:false and default invocation settings. The skill does not request persistent system privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined here with broad credential access.