ClawHub
Back to skill
v1.0.1

Huoban

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:42 AM.

Analysis

This is an instruction-only Huoban helper; it includes legitimate API, token, webhook, and data-mutation examples that users should handle carefully, but no hidden or automatic harmful behavior is evidenced.

GuidanceThis skill appears safe to install as an instruction-only Huoban assistant. Before using its API examples, protect your Huoban token, avoid granting unnecessary permissions, and require explicit confirmation before creating, updating, or deleting real records.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
def create_item(...); def update_item(...); def delete_item(... resp = requests.delete(url, headers=self.headers)

The API client example includes create, update, and delete operations against Huoban records. This is aligned with API integration guidance, but these operations can alter business data.

User impactCode or agent actions based on these examples could modify or delete Huoban records if run with a valid token.
RecommendationRequire explicit user approval for create/update/delete actions, test against non-production tables first, constrain table/item IDs, and keep backups or rollback procedures.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
伙伴云 API 使用 API Token 认证... "Authorization": f"Bearer {api_token}"

The skill documents use of a Huoban API token. This is expected for API integration, but the token may grant access to account data and actions.

User impactIf a Huoban API token is pasted into chat, logs, or unsafe code, someone else could use it to access or change Huoban data.
RecommendationUse the least-privileged token available, store it as a secret or environment variable, avoid pasting it into prompts/logs, and rotate it if exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceMediumStatusNote
SKILL.md
@app.route('/webhook/huoban', methods=['POST']) ... data = request.json ... event_type = data.get('event')

The visible webhook example accepts external POST data and processes events. Webhook integration is purpose-aligned, but the shown snippet does not display origin/signature validation.

User impactIf copied directly into a real service without authentication or validation, a webhook endpoint could process spoofed events or mishandle Huoban record data.
RecommendationAdd webhook authentication or signature verification, validate payloads, use HTTPS, and limit what event data is logged or forwarded.