Skillv0.1.0

ClawScan security

Zsxq Group · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 2:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (managing 知识星球 groups) matches the instructions, but it depends on an external shared SKILL.md for authentication and references a CLI binary that is not declared in the registry metadata — an undeclared credential/requirement dependency and missing provenance make it suspicious.
Guidance: This skill appears to do what it says (manage Zsxq groups) but has two red flags: (1) the SKILL.md requires the agent to read ../zsxq-shared/SKILL.md for authentication, yet this skill does not declare which credentials or env vars it needs; and (2) it expects a zsxq-cli binary but provides no install/source or provenance. Before installing or enabling this skill: inspect the referenced ../zsxq-shared/SKILL.md to learn exactly what credentials or tokens it requires; verify the zsxq-cli binary source and trustworthiness (official repo or package); ensure you are comfortable with any environment variables or files the shared SKILL.md asks the agent to access; and avoid enabling the skill if the referenced shared file or the CLI come from an unknown/untrusted origin. If you can obtain the zsxq-shared SKILL.md and verify the CLI origin, the risk is much lower.

Review Dimensions

Purpose & Capability: noteThe documented purpose (list groups, browse topics, query hashtags/members) is coherent with the instructions that call a zsxq-cli and its api call surface. However, the top-level registry metadata claimed no required binaries/env vars while the SKILL.md explicitly lists requires.bins: ["zsxq-cli"]. The skill's source/homepage is unknown, which reduces provenance and makes the presence of an external CLI harder to justify without further information.
Instruction Scope: concernThe SKILL.md has a CRITICAL precondition: the agent MUST read ../zsxq-shared/SKILL.md for authentication and error-handling rules. That external file likely contains authentication instructions (possibly env var names or token handling). Requiring the agent to read a sibling SKILL.md expands the scope beyond this skill's files and could expose or require access to credentials or other configuration not declared here. The runtime instructions also tell the agent to run zsxq-cli api call with user-supplied params — which is expected for this purpose, but the dependency on an external, undeclared shared file is the main scope concern.
Install Mechanism: noteThis is instruction-only with no install spec, which is lower risk because nothing is written to disk by the skill itself. However, it relies on an external binary (zsxq-cli). The skill provides no install mechanism or provenance for that binary, so the agent/operator must trust and separately install zsxq-cli; lack of an install spec or source for the CLI is a gap that increases risk.
Credentials: concernThe registry lists no required environment variables or primary credential, but the SKILL.md explicitly requires reading ../zsxq-shared/SKILL.md for authentication. That suggests this skill implicitly depends on credentials or env vars declared elsewhere but does not enumerate them here. Missing explicit declaration of required credentials (TOKEN/KEY/PASSWORD) is disproportionate for auditing and increases the chance the agent will access unspecified sensitive data.
Persistence & Privilege: okalways:false and no install spec — the skill does not request permanent presence or elevated privileges. It does not appear to modify other skills or system-wide settings. Autonomous invocation is allowed but is the platform default and not a standalone concern here.