Skillv1.0.0

ClawScan security

india市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 5:13 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's documentation and marketing claim multi-source, real-time integrations (DeepSeek v4, 惠迈智能体) and expect configurable API keys, but the included code is a local stub that never calls external services or uses any credentials—this mismatch is suspicious and warrants caution before installing or supplying secrets.
Guidance: This package appears to be a stub/placeholder rather than a working connector. It claims real-time multi-source integration (DeepSeek v4, 惠迈智能体) and advises using API keys, but the code only returns simulated, local data and does not read environment variables or perform network calls. Actionable advice: - Do not provide any real API keys or secrets until you confirm the skill actually uses them securely. The skill currently does not consume env vars, so giving keys would likely be useless and could be accidentally placed in configs. - Inspect and test locally (npm test runs included test.js) before using in production. The tests are local-only and show the code is mocked. - If you expect real data ingestion, request the maintainer/source code that implements network/data-source integrations (HTTP clients, auth flows) or implement those connectors yourself and audit them for safe handling of credentials. - Treat the mismatch between marketing (DeepSeek v4 integration) and implementation as a red flag: it may be unmaintained, incomplete, or a placeholder. If you need a production-ready skill, prefer one whose code and declared env vars clearly match its advertised capabilities.

Review Dimensions

Purpose & Capability: concernThe name/description promise multi-source data ingestion, real-time updates, DeepSeek v4 and 惠迈 agent integration. However index.js contains only local/mock logic (fetchFromDataSource returns simulated data) and package.json has no dependencies. The skill does not implement network fetches, DeepSeek hooks, or any real data-source connectors despite claiming them.
Instruction Scope: noteSKILL.md/README instructs users to configure dataSources and manage API keys via environment variables, but the runtime instructions and index.js do not read process.env or any files—there is no code that transmits data off-host. The instructions are scoped to configuration but are inconsistent with the code's actual behavior.
Install Mechanism: okNo install spec is provided (instruction-only skill), and package.json declares no dependencies. There are no downloads or extract steps. Installation is low-risk from an installer perspective.
Credentials: concernThe README/SKILL.md recommend using environment variables for API keys, but the skill's metadata declares no required env vars and the code does not use process.env. This is an inconsistency: the skill advertises credential use but doesn't actually consume them, which could confuse users and lead to unsafe credential handling if they modify the code.
Persistence & Privilege: okThe skill does not request persistent presence (always: false) and the code does not modify system or other skill configurations. No elevated persistence or privileges are requested.