Skillv1.0.0

ClawScan security

c刊期刊分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 6:38 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (scraping CNKI for recent C-journal articles and producing a Word analysis report); it does not request unrelated credentials or install arbitrary external code, though it performs web scraping which has operational and ToS considerations the user should review.
Guidance: This skill appears to do what it says: it scrapes CNKI pages, builds a JSON dataset, runs a local Python analysis, and writes a Word report. Before installing or running it, consider: 1) Legal/ToS: scraping CNKI may violate their terms of service or access controls—ensure you have the right to scrape and respect copyright. 2) Access: CNKI may require institutional login or additional verification; the skill does not include credential handling and asks you to solve CAPTCHAs manually—do not paste credentials into chat. 3) Dependencies: you'll need to run pip3 install for several Python packages; review these packages and install them in a controlled environment (virtualenv). 4) Privacy: the skill will visit and extract content from CNKI and may use WebSearch fallbacks; review whether exposing article titles/abstracts to your agent is acceptable. 5) Code audit: the provided Python script appears benign and local, but part of it was truncated in the manifest—if you rely on this skill, inspect the full script to confirm no unexpected network calls or writing to unexpected locations. If you need a stricter risk posture, run the script in an isolated environment and avoid providing any login credentials through the agent.

Review Dimensions

Purpose & Capability: okName/description (CNKI/CSSCI journal analysis) matches the included pieces: a journal_codes reference, a browser-driven scraping workflow in SKILL.md, and a local Python analysis/report script. There are no unrelated environment variables, binaries, or cloud credentials requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to navigate CNKI pages, extract article lists, and (sample) abstracts, then run a local analysis script and save a Word report. This is within the stated purpose. Note: it relies on automated browsing and scraping and instructs the user to solve CAPTCHAs manually; it also suggests using WebSearch fallbacks. The scraping activity is expected for the purpose but has operational/ToS implications (see guidance).
Install Mechanism: okNo install spec (instruction-only with an included script). Dependencies are standard Python packages (jieba, wordcloud, python-docx, matplotlib, numpy) and are only suggested via pip. No downloads from untrusted URLs or archive extraction are present in the manifest.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The Python script operates on local JSON input and writes outputs to an output directory (default ~/Downloads). There are no hidden credential accesses observed.
Persistence & Privilege: okFlags indicate normal behavior (always:false, autonomous invocation allowed). The skill does not request persistent/always-on inclusion and does not attempt to modify other skills or system-wide settings.