Skillv1.0.0

ClawScan security

🇨🇳 中国市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 1:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only China policy query skill whose declared capabilities align with its requirements — it asks for no credentials, has no installable code, and its SKILL.md stays on-topic, though a brief calibration step is underspecified and you may want to verify provenance before installing.
Guidance: This skill appears coherent and low-risk based on the files you provided, but before installing: 1) verify the package provenance in the registry (owner ID / package slug) since 'Source: unknown' is shown; 2) if the platform exposes the skill's actual package or runtime code, inspect it to confirm the 'quick calibration' does not read or transmit unrelated local files or secrets; 3) prefer installing in a sandbox or with network monitoring the first time to observe external calls; 4) confirm you trust the author (metadata shows a personal iCloud contact) and check for updates or community feedback; 5) treat outputs as informational (SKILL.md already has a disclaimer) and validate any regulatory advice against official sources.

Review Dimensions

Purpose & Capability: okName/description (China market policy queries) match the provided artifacts. The skill declares no binaries, no environment variables, and no config paths — all proportional to a read/query-style policy assistant.
Instruction Scope: noteSKILL.md contains usage examples and modes only; it does state that a 'quick calibration' runs on first load (惠迈校准框架v1.0) but does not describe what data that calibration accesses. This is vagueness rather than an explicit red flag, but you may want clarity about whether calibration reads agent context, system files, or transmits data.
Install Mechanism: okNo install spec or code files are included in the bundle (instruction-only). The SKILL.md shows a platform install command (clawhub install policy-china) which is expected for a registry-published skill — verify the registry source if concerned because the skill's external origin is 'unknown' in the metadata provided.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The _meta.json lists an author email (personal iCloud) but this is metadata only and not used at runtime per the artifacts provided.
Persistence & Privilege: okalways:false and no install-time hooks or persistent components are present in the package. Autonomous invocation is enabled (platform default) but that is normal; metadata includes calibration settings (interval, trustedMode) which are descriptive and do not by themselves indicate elevated system privileges.