Skillv1.0.1

ClawScan security

钉钉宜搭开发助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 12:54 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only documentation skill for 钉钉宜搭 low-code development; its files, examples, and requirements match the described purpose and it does not request credentials or install code.
Guidance: This package is documentation-only and internally consistent with a Yida (钉钉宜搭) development helper. It does not ask for credentials or install code, so the immediate risk is low. Things to consider before installing/using: (1) origin unknown / no homepage listed — prefer skills from known publishers or with a homepage if you require traceability; (2) some examples show dynamically loading external scripts (g.alicdn.com and example.com placeholders) and remote API endpoints — do not blindly copy third-party URLs into production pages; verify any external script host and avoid loading untrusted scripts; (3) when you integrate with real DingTalk/Yida OpenAPI or AI nodes you will need platform credentials — supply those only to trusted code and follow your org's secret-management practices. If you want higher assurance, ask the publisher for a homepage, source link, or provenance information.

Purpose & Capability: okName and description (Yida/DingTalk low-code dev helper) align with the provided content: component conventions, JS action panel APIs, formulas, integrations, TodoMVC tutorial and troubleshooting. The skill does not request unrelated binaries, env vars, or config paths.
Instruction Scope: noteSKILL.md and references are documentation and runtime examples for Yida pages and data sources only. Examples include dynamic loading of external scripts (e.g., g.alicdn.com/vConsole and placeholder example.com URLs) and remote API endpoints for DingTalk; these are expected for this domain but worth noting because copying/executing those example external URLs in a runtime could run third-party code.
Install Mechanism: okNo install spec and no code files to write or execute. Instruction-only skills are lowest-risk from an install perspective.
Credentials: okNo required environment variables, binaries, or credentials are declared or accessed. References to DingTalk/Open API usage are documented but the skill does not request keys itself.
Persistence & Privilege: okalways is false and the skill is user-invocable/autonomous-invocation-enabled (default). It does not request elevated persistent privileges or modify other skills' config.