Skillv0.1.0

ClawScan security

Zsxq Topic · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 2:31 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions look coherent for managing Zsxq topics, but there are important mismatches (declared requirements vs SKILL.md) and missing authentication details that make its behavior unclear and potentially risky.
Guidance: This skill appears to be a wrapper for the zsxq-cli tool to manage 知识星球 topics, but it has important gaps you should resolve before installing: - Verify presence and provenance of zsxq-cli on your system. The SKILL.md expects this binary, but the registry metadata does not declare it — confirm which is authoritative. - Ask the publisher for the referenced '../zsxq-shared/SKILL.md' (it should contain authentication and security rules). Do not proceed unless you can inspect that file and confirm how credentials are read/used. - Confirm what credentials (cookie, token, API key) the CLI needs and where they must be stored. The package declares no env vars but performs authenticated, irreversible actions; that lack of declaration is suspicious. - Be cautious about destructive commands (DELETE topic) and public writes (answers/comments). The instructions require user confirmation before writes — ensure any integrator enforces that confirmation and does not run these commands autonomously without explicit consent. - Prefer installing only if the skill's source/maintainer is known and you can audit the shared auth file and the zsxq-cli behavior. If source is unknown or you cannot verify authentication handling, treat this as unsafe to enable for autonomous use.

Review Dimensions

Purpose & Capability: concernThe skill is described as a Zsxq (知识星球) topic manager and its SKILL.md expects the 'zsxq-cli' binary to perform API calls — that aligns with the stated purpose. However the registry metadata lists no required binaries or credentials, and the package does not declare any auth environment variables despite doing write/delete operations. This mismatch between claim and declared requirements is unexplained.
Instruction Scope: concernRuntime instructions invoke 'zsxq-cli' for reads and destructive writes (create/reply/answer/delete) and explicitly require reading an external '../zsxq-shared/SKILL.md' for authentication and error rules. The shared SKILL.md is not included in this bundle, so the agent would need external context to authenticate. The skill properly annotates that writes are public and require confirmation, but reliance on an external, non-bundled file for auth is a scope and availability concern.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by the skill package itself.
Credentials: concernThe skill performs authenticated, irreversible operations (e.g., DELETE topic, post answers that cannot be changed) yet declares no required environment variables or primary credential. Real use of zsxq-cli will require credentials (cookies/tokens). The absence of declared credentials or explanation of where/how authentication is provided is disproportionate and opaque.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated platform privileges. It does not modify other skills' configs. Note: autonomous invocation is allowed (platform default) — combined with the ability to perform destructive writes this increases blast radius if auth is available.