Skillv1.0.1

ClawScan security

东南亚市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 1:39 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package claims to be a DeepSeek/惠迈 multi-source real-time policy aggregator but the included code is a local synthetic data generator and the README/SKILL.md metadata contain multiple inconsistent or misleading claims — proceed with caution and verify before trusting or giving credentials.
Guidance: This skill appears to be a stub/local mock rather than the live-data DeepSeek/惠迈 integration it advertises. Before installing or using it for business decisions: 1) Do not provide API keys or secrets to this skill unless you confirm the author and that the skill actually implements secure connectors. 2) Verify which code will run: the included index.js just fabricates policy entries and contains no network-fetching or agent orchestration. 3) Resolve metadata mismatches (package name vs. installation instructions, declared dependencies vs. package.json, repository URLs) with the maintainer — these are signs of sloppy packaging or copy-paste. 4) If you need real-time, authoritative policy data, ask the maintainer for evidence of implemented data-source connectors and tests hitting real endpoints, or prefer a skill that clearly documents and implements those integrations. 5) As a precaution, run the package in an isolated environment (sandbox/container) and inspect runtime behavior before granting it access to any credentials or production agent.

Review Dimensions

Purpose & Capability: concernThe description and SKILL.md repeatedly claim DeepSeek v4 support, 惠迈智能体三层架构, multi-source data integration, real-time updates and connectors for government data/API keys. The actual shipped runtime code (index.js/index-simple.js) contains only a local generator that fabricates policy records and returns canned analyses — there are no network calls, no DeepSeek/agent orchestration, and no implemented data-source connectors. This mismatch means the skill does not deliver the live-data capability it advertises.
Instruction Scope: concernSKILL.md instructs creating a config file at config/southeast-asia-policy.json with optional data source endpoints and apiKey, and shows claw/clawhub integration examples. The runtime code accepts a config object when instantiated, but there is no code that reads the specific config path, nor any implementation to fetch external data or call AI services. Instructions promise behavior (real-time scraping/monitoring, AI service integration) that the code does not implement.
Install Mechanism: okNo install spec is provided and the package contains only local JS files; nothing in the manifest pulls arbitrary remote archives or runs downloads. This is low install risk — code will be installed from the skill bundle itself.
Credentials: noteThe skill requests no environment variables and package.json lists no dependencies. However SKILL.md declares optional dataSources entries (endpoint, apiKey) and lists external deps (axios, cheerio, cron) that are absent from package.json. That inconsistency is a red flag: the skill may expect external credentials or networking in future versions, but the current bundle does not require them.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system settings. It runs as a normal user-level skill with no elevated persistence privileges.