Skillv1.0.0

ClawScan security

🌏 东南亚市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 10:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill whose requested resources match its purpose; it doesn't request credentials or install code, but its claim of providing 'real-time' data lacks a described data source, so verify how it will fetch live updates before relying on it for decisions.
Guidance: This skill is instruction-only and appears coherent with its stated purpose; it doesn't ask for credentials or install code, so direct risk is low. Before relying on it for decisions: (1) confirm how it obtains 'real-time' policy updates (does your agent have web-browsing or an external connector enabled?), (2) don't treat outputs as legal/advisory final authority—verify with official government sources, and (3) review the platform's tool and network permissions (e.g., web access or browsing plugins) the agent may use to fetch live data. If you need guaranteed live data, ask the publisher which data sources or connectors the skill uses.

Review Dimensions

Purpose & Capability: noteName/description promise (market policy queries for Southeast Asia) aligns with the skill content. The skill requests no credentials, binaries, or installs — consistent with an instruction-only LLM tool. One minor mismatch: it advertises '实时' (real-time) policy queries but does not document any data sources, APIs, or connectors that would provide live updates, so the apparent real-time capability is ambiguous.
Instruction Scope: okSKILL.md contains only user-facing examples, mode descriptions, and a short install command; it does not instruct the agent to read local files, access unrelated environment variables, or send data to external endpoints. The '快速校准' and '校准框架v1.0' mentions are descriptive and do not contain operational steps that would expand scope or exfiltrate data.
Install Mechanism: okNo install spec and no code files are present (instruction-only). That minimizes on-disk risk; the single suggested install command is a registry client invocation and is typical for installing skills—no external downloads or archive extraction are used.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. That is proportionate for a read-only, instruction-only policy/query helper. There are no unexplained SECRET/TOKEN requirements.
Persistence & Privilege: okFlags use defaults (always:false, agent invocation allowed). The skill does not request permanent presence or to modify other skills. Nothing in the metadata or SKILL.md indicates it will persist credentials or alter system-wide settings.