Back to skill
Skillv1.0.0
ClawScan security
地址智能分类器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 7:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, documentation, and runtime instructions are internally consistent with an address-classification tool; it does not request credentials or perform obvious external communication.
- Guidance
- This package appears to be what it claims—a local Chinese address classifier implemented in Python. Before installing: (1) be aware address lists are personal data (PII); avoid processing sensitive datasets on untrusted machines or sharing outputs. (2) Review config/config.yaml and logging settings to avoid writing PII to shared log files; set log_file to None if you want console-only logs. (3) The only runtime dependency is PyYAML; ensure you install in a virtualenv. (4) If you will run this in production or on large/other-province datasets, validate accuracy and expand the mappings as needed. If you require network-free guarantees, inspect the code yourself (all source files are included) — there are no network calls in the provided code.
Review Dimensions
- Purpose & Capability
- okName/description (Chinese address classifier) matches the delivered artifacts: Python implementation, config.yaml, examples, and SKILL.md describing TSV/CSV/JSON input and local file output. Default target region (贵州省/贵阳市) is configurable and explained.
- Instruction Scope
- okRuntime instructions and code operate on local input files, local config/config.yaml, and produce local output; search-completion is implemented via internal mappings. There are no instructions to read unrelated system files, access environment variables, or contact external endpoints.
- Install Mechanism
- okNo install spec in registry; repository includes a requirements.txt (PyYAML) and normal Python scripts. Installation relies on standard pip usage (low/expected risk). No downloads from arbitrary URLs or extract steps are present.
- Credentials
- okThe skill declares no required environment variables, credentials, or special config paths. The code reads config/config.yaml (present in the package) and supports optional log file path; these are proportional to its purpose.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated persistence or modify other skills. It logs to console or an optionally configured file and runs locally; autonomous invocation is possible by default but is normal for skills and not combined with other red flags here.