Skillv1.0.0

ClawScan security

AI 副业顾问 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 7:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions roughly match its stated purpose (scanning job platforms and recommending gigs) but there are several inconsistencies and undeclared requirements (local config file, missing deps, potential API/key usage) that you should clarify before installing.
Guidance: Before installing, ask the publisher to explain and fix the mismatches: (1) declare required binaries explicitly (SKILL.md uses curl and jq); (2) declare any config paths (it reads ~/.openclaw/workspace/HUSTLE.md) and explain what data is read/stored there; (3) clarify how API keys (for platforms) are provided, stored, and protected — do not supply keys until you know where they go; (4) confirm whether network scraping is performed with authentication and whether it respects platform terms of service; (5) if you plan to run this skill, run it in a restricted/sandboxed environment first and review any outputs for sensitive data. Because the SKILL.md and registry metadata disagree, treat the skill as untrusted until those inconsistencies are resolved.

Review Dimensions

Purpose & Capability: noteThe skill's described purpose (scan freelancing platforms and recommend opportunities) aligns with the runtime instructions (curl-based scraping and analysis). However, the registry metadata claims no required binaries/config paths while SKILL.md declares a dependency on curl and demonstrates use of jq and a local config file (~/.openclaw/workspace/HUSTLE.md). Those mismatches are unexpected and should be reconciled.
Instruction Scope: concernSKILL.md explicitly instructs the agent to fetch pages from external platforms (Upwork, Fiverr, Juejin, etc.), run curl and jq pipelines, and read a local configuration file at ~/.openclaw/workspace/HUSTLE.md. The instructions will therefore access network resources and a user-local config file that may contain sensitive preferences. The SKILL.md also suggests using API keys but does not specify how they're supplied or stored. These actions go beyond a purely passive suggestion tool and can touch private data and network endpoints.
Install Mechanism: okThis is an instruction-only skill with no install spec or code. That is the lowest-risk install mechanism because nothing new is written to disk by an installer. The runtime instructions still rely on external binaries (curl, jq) that must be present.
Credentials: concernThe skill declares no required environment variables or credentials, yet SKILL.md recommends '配合 API Key' and shows network scraping examples. It also references a specific local config path (~/.openclaw/workspace/HUSTLE.md) that the skill will read, which is not declared in the registry metadata. Undeclared access to local files and potential API keys is disproportionate to the missing declarations and should be clarified.
Persistence & Privilege: okThe skill does not request always:true and has no install-time persistence. It is user-invocable and can run autonomously as per platform defaults, which is normal. There is no evidence it modifies other skills or system-wide settings.