Skillv1.0.0

ClawScan security

europe-anz市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 5:13 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent with a configurable policy-query library; it does not request credentials or perform network installs, but it contains implementation bugs and placeholders and comes from an unknown source, so review before use.
Guidance: This skill appears to be a local policy-query library and does not itself phone home or require credentials, but it contains many placeholder dataSource values and small implementation bugs — e.g., fetchFromDataSource returns strings with '${name}' placeholders that are never replaced, and the browser export line uses an invalid identifier (window.EuropeAnzPolicyQuery = Europe-anzPolicyQuery) which will break in browsers. The README suggests using environment variables for API keys; only provide real API keys after you (1) inspect/understand the code that will use them, (2) confirm the skill will call your intended data sources, and (3) run it in a sandboxed environment first. Because the package author/homepage is unknown, consider: run npm test in an isolated environment, fix the placeholder/template bugs if you intend to use it, and only configure sensitive API keys after confirming network endpoints and code paths that will use them. If you need a higher assurance level, obtain the skill from a trusted maintainer or a repository with maintainer contact and verifiable release history.

Review Dimensions

Purpose & Capability: okThe name/description (policy queries for Europe/ANZ) match the contained code and SKILL.md: the module is a local library that returns policy query and analysis results. It does not request unrelated credentials or binaries. The README shows how to pass API keys as config/env vars, which is coherent with a data-source-driven skill.
Instruction Scope: okSKILL.md and README instruct installation (clawhub/npm) and configuring data sources via environment variables. The runtime instructions do not ask the agent to read unrelated system files or exfiltrate secrets. They do recommend storing API keys in env vars (good practice) but do not automatically read unspecified host system state.
Install Mechanism: okThere is no external download/install spec in the skill bundle (instruction-only install guidance). The package includes local JS files and package.json; there are no remote URLs, no extract steps, and no dependencies. This is low-risk from an installer perspective.
Credentials: noteThe skill declares no required env vars or credentials. README examples show optional env vars (INVESTMENT_API_KEY, TRADE_API_KEY, etc.) — reasonable for configuring data sources. Because the skill currently uses placeholder data (no actual network fetching), providing API keys is optional but would be needed for real integrations. Requesting keys only at user configuration time is proportionate.
Persistence & Privilege: okThe skill does not set always:true, does not modify other skills or global agent config, and keeps only in-memory caches. It does not request persistent system privileges.