Skillv1.0.0

ClawScan security

中国市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 1:59 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's README/SKILL.md claims DeepSeek v4 and live data-source integrations, but the included code is a local stub that does not implement those integrations — this mismatch is suspicious and warrants caution before trusting or connecting real data/credentials.
Guidance: This package looks safe to run as-is (the code is a local simulator and makes no network calls), but its documentation claims integrations (DeepSeek v4, 惠迈 agents, live data collection) that are not implemented in the shipped code. Before using it with real data or credentials: 1) verify the skill's provenance (homepage/repository/author) — source is unknown; 2) inspect or obtain the real DeepSeek/惠迈 integration code or official client from trusted sources; 3) never paste API keys into code — use environment variables with least privilege; 4) test in an isolated environment (sandbox) before connecting production data sources; and 5) if you expect live data fetching, require proof (network calls, auth flows) and confirm the endpoints the skill will contact. The current mismatch between marketing and implementation is the reason for the 'suspicious' rating.

Review Dimensions

Purpose & Capability: concernThe name/description advertise DeepSeek v4 driving analysis and real-time data collection via 惠迈智能体, but index.js contains only a local, simulated implementation (no network calls, no DeepSeek API usage). The advertised capabilities are not implemented in the code bundle — this is an inconsistency between claims and actual capability.
Instruction Scope: okSKILL.md and README give installation and configuration guidance and recommend using environment variables for API keys. The runtime instructions do not tell the agent to read unrelated files, exfiltrate data, or call unexpected external endpoints. They are limited and scoped to installing/configuring the skill.
Install Mechanism: okNo install spec in registry (instruction-only). package.json exists but has no dependencies and test/start scripts are local; nothing downloads or extracts external code. Low install risk in the provided bundle.
Credentials: noteRegistry metadata declares no required env vars, but README/SKILL.md show example environment variables (INVESTMENT_API_KEY, TRADE_API_KEY, etc.) and recommend using them. That is reasonable for a data-source integration, but the registry did not declare these as required — if you later configure real data sources you will need to supply secrets. The package itself does not currently access any env vars.
Persistence & Privilege: okThe skill does not request elevated/persistent presence (always:false). It does not modify other skills or system settings; runtime behavior is limited to in-memory operations in provided code.