Skillv1.0.0

ClawScan security

公众号爆款文章查询 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 14, 2026, 2:26 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (query a backend for WeChat public-article trends) but contains several implementation choices — notably a custom HTTPS socket that disables certificate verification and avoids SNI, plus an opaque external endpoint — that are unexpected and warrant caution.
Guidance: This skill mostly does what it claims (it calls an included Python script to fetch and format WeChat public-article trend data), but there are red flags you should consider before installing or using it: - The script calls a third-party API at onetotenvip.com. If you run the skill, your query keywords (and possibly other context) will be sent to that host. Only use it if you trust that service. - The script disables TLS certificate verification and deliberately avoids sending SNI (server name) when establishing HTTPS connections. This makes network connections opaque and can be used to evade interception detection — a risky implementation choice. Avoid sending sensitive or private keywords/data via this skill. - The SKILL.md lists the 'requests' library dependency, but the script does not use requests; this inconsistency may be benign but is worth asking the author about. Recommendations: - If you must use it, run it in an isolated/sandbox environment or on a machine/network where you can monitor outbound traffic (so you can see what is sent to onetotenvip.com). - Ask the skill author for the API provider's documentation and why TLS verification/SNI were disabled; prefer a version that uses verified TLS (requests or urllib with certificate validation) and a documented, trusted backend. - Do not use the skill for queries containing sensitive, confidential, or personally identifiable information until you can verify the remote service's trustworthiness. - If you have the capability, examine (or ask the author to publish) the remainder of the script to confirm there is no additional behavior (file reads, credential harvesting, unknown callbacks).

Review Dimensions

Purpose & Capability: noteName/description (获取公众号热门文章) match the included script which queries a remote API and formats results. However there are two mismatches: the SKILL.md declares a dependency on the 'requests' library although the provided script implements its own raw-socket HTTPS client (it does not use requests), and the script calls an opaque third-party endpoint (https://onetotenvip.com/...) instead of a clearly documented official data source. Requiring network access to a single unknown domain is plausible for this purpose, but the combination with the custom transport is unexpected.
Instruction Scope: okRuntime instructions are explicit: read the included references, follow the workflow, and call scripts/fetch_gzh_trends.py with the given parameters. The SKILL.md does not instruct the agent to read arbitrary system files or extra environment variables beyond the included reference files, and the scripted flow enforces user-confirmation rules for generic keywords. The instruction scope is narrow and aligned with the stated purpose.
Install Mechanism: noteThere is no install spec (instruction-only plus an included Python script), which minimizes installation risk. However the declared python dependency 'requests>=2.28.0' does not appear to be used by the provided script (the script implements HTTP via sockets). This mismatch is unexpected and could be benign sloppiness or an attempt to conceal behavior in a dependency; it merits review.
Credentials: concernThe skill requests no environment variables or credentials, which is good. However the script sends user-supplied keywords and start dates directly to an external domain (onetotenvip.com) over a custom TLS connection that explicitly disables certificate verification and sets server_hostname=None (no SNI). That combination increases risk: queries (potentially containing sensitive keywords or context) will be transmitted to a third-party host, and TLS verification is disabled so man-in-the-middle interception cannot be detected. No justification for these choices is documented in SKILL.md or references.
Persistence & Privilege: okThe skill does not request persistent privileges (always:false) and does not modify other skills' configuration. It runs a local Python script on demand. Autonomous invocation is enabled (platform default) but not combined with other high-risk indicators.