Yidun Skill Sec
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent as a security scanner, but it sends redacted scan evidence to a cloud service by default, so users should review the privacy setting before use.
This appears purpose-aligned for scanning third-party packages. Before installing, decide whether default cloud threat intelligence is acceptable for the code you scan; disable it with YIDUN_SKILL_SEC_CLOUD=false for private or sensitive packages, and only enable local payload logging if you need an audit record.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Information about scanned packages, and some redacted code evidence, may leave the local machine unless cloud scanning is disabled.
The skill clearly discloses a default-on data flow to an external provider, including redacted snippets/evidence from scanned packages.
Cloud analysis calls `POST https://as.dun.163.com/v1/agent-sec/skill/check` and is **enabled by default**. - Uploads fingerprint, behavior tags, and redacted evidence artifacts
Use the default cloud mode only for packages you are comfortable sharing in redacted form; set YIDUN_SKILL_SEC_CLOUD=false for private or highly sensitive code.
A user may rely on the stated redaction and deletion guarantees when deciding whether to allow cloud scanning.
The artifact makes strong privacy and retention assurances around a default cloud upload workflow; these are trust-sensitive provider claims users should notice.
The following data is **never uploaded**: ... Any personal or private data ... Cloud detection data is used **exclusively for the current security scan** and is **destroyed immediately**
Treat the privacy statements as provider assurances; disable cloud mode when scanning proprietary, personal, or regulated material.
Normal use may involve local command execution and network access to the documented endpoint.
The skill requires local tools that can perform hashing, parsing, and outbound requests; this is expected for its scanner purpose and is disclosed.
`curl` | Cloud API calls ... `jq` | JSON response parsing ... `openssl` | File hash computation
Confirm the required tools are acceptable in your environment and restrict network access if cloud scanning is not desired.
If enabled, local audit logs may retain details from scanned packages after the scan finishes.
The skill can optionally persist the redacted upload payload locally, which may include scan evidence snippets.
YIDUN_SKILL_SEC_LOG_PAYLOAD (optional) - Log the redacted payload locally before cloud upload for audit. Default: false
Leave payload logging disabled unless you need an audit trail, and protect or delete any generated logs appropriately.