Africa

ReviewAudited by ClawScan on May 10, 2026.

Overview

This skill does not show malware, but it appears unfinished or misleading and may expose API keys if configured as documented.

Install only if you understand this appears to be a placeholder/demo skill. Do not configure real API keys until the publisher fixes secret handling, declares required credentials, removes credentials from outputs, and provides verifiable real data/model integration.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If you follow the setup example with real API keys, those keys may appear in skill outputs instead of staying private.

Why it was flagged

The configured dataSource value is copied into query results. The README shows dataSources populated from INVESTMENT_API_KEY and TRADE_API_KEY, so real credentials could be echoed into agent context, logs, or user-visible output.

Skill content

dataSource,
...
return {
  ...
  dataSource,
  language: this.config.language
};

Recommendation

Do not provide real API keys until secrets are separated from display fields, required env vars are declared, and returned results mask or omit credential values.

Medium

#ASI09: Human-Agent Trust Exploitation

What this means

Users could mistake placeholder or fabricated policy analysis for live, model-backed market intelligence and make business decisions on unreliable output.

Why it was flagged

The skill claims DeepSeek v4-driven, accurate, real-time policy analysis, but the supplied code has no DeepSeek/API integration and labels data fetching as simulated, creating a trust mismatch.

Skill content

基于DeepSeek v4的智能政策分析系统...确保数据准确性和实时性

Recommendation

Treat this as a demo unless the publisher supplies real data-source/model integration, clear freshness limits, and accurate documentation.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

You may have less assurance that the installed package matches the reviewed artifacts.

Why it was flagged

The skill lacks source/homepage provenance while the README instructs users to install a package by name. No malicious install behavior is shown, but package identity should be verified.

Skill content

Source: unknown; Homepage: none

Recommendation

Verify the ClawHub slug, npm package owner, and reviewed source before installing or running it.