Skillv1.0.0

ClawScan security

🌍 非洲市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 10:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (African policy queries) matches its simple, instruction-only implementation, but it claims flexible data-source configuration and automatic calibration without explaining how those operate or where data is fetched from — this mismatch deserves caution before installing.
Guidance: This skill is low-friction (no install, no secrets) and its examples match the title, but it leaves out important operational details. Before installing, ask the author how data is sourced (model-only vs. specific public APIs vs. crawled pages), what '快速校准' does and whether it performs network calls or writes state, and how to configure external data sources if you need up-to-date or authoritative information. Do not provide any credentials or grant additional privileges until you confirm data provenance. Treat outputs as informational only (not legal advice) and validate critical policy answers against official sources.

Review Dimensions

Purpose & Capability: noteName and description (非洲市场政策查询) align with the SKILL.md usage examples and outputs. However the skill advertises '灵活数据源配置' and multi-source calibration but declares no config paths, environment variables, or instructions for adding data sources; that's an unexplained capability gap.
Instruction Scope: noteSKILL.md contains only high-level instructions and expected response formats (tariff, legal basis, exemptions, etc.) and an automatic '快速校准' on first load, but it does not specify which external data sources or endpoints to query, whether scraping or API calls are used, or how calibration works. Because it is instruction-only, the actual data retrieval method is unspecified — likely relying on the model or on agent-internal connectors, which should be confirmed.
Install Mechanism: okNo install spec and no code files — instruction-only. This is low-risk from an install perspective because nothing will be downloaded or written during install.
Credentials: okNo required environment variables, credentials, or config paths are declared. That is consistent with the '无需API Key' claim, but it also heightens the need to know where data comes from since no external credentials are requested.
Persistence & Privilege: note_meta.json contains calibration settings (interval: 1800000 ms, trustedMode: true) and SKILL.md says it will run a quick calibration on first load. The skill does not set always:true and has no install actions, but the presence of periodic calibration metadata implies the skill may expect periodic invocations — clarify whether it performs background or scheduled network activity or stores state.