Skillv1.0.1

ClawScan security

ziniao-assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 26, 2026, 1:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's runtime instructions match its stated purpose (control a local Ziniao bridge), but the SKILL.md expects environment variables and a local config file (~/.zclaw/config.json) while the skill metadata declares no required env/config — this mismatch and implicit access to a local config file are concerning and should be clarified before use.
Guidance: This skill appears to do what it says (talk to a local Ziniao bridge), but the SKILL.md expects an API key and a local config file while the registry metadata declares none — that's the main inconsistency. Before installing: - Confirm whether the skill actually needs ZCLAW_API_KEY and whether that key will be read from an env var or from ~/.zclaw/config.json. If so, the metadata should list that config path and env var. - Understand that the skill will call localhost (default http://127.0.0.1:9481). Only install if you trust the local bridge running there — a compromised local service could misuse the skill's ability to invoke tools or accept posted data. - Ask the publisher to update metadata to declare required env vars/config paths, and to document exactly what information is read from ~/.zclaw/config.json. Prefer explicit declared requirements over implicit file reads. - Consider running the agent in a restricted environment (or without the API key) until you confirm behavior. If you must provide ZCLAW_API_KEY, store it securely and consider limiting its privileges. - If you are uncomfortable with the skill reading a file in your home directory or with the documented operations (download_file, get_logs, write-to-Downloads), do not install until the publisher clarifies and the metadata is corrected.

Review Dimensions

Purpose & Capability: noteThe name and description (control the Ziniao Browser via a local Ziniao bridge) align with the instructions to GET /zclaw/tools and POST /zclaw/tools/invoke on a local base URL (default http://127.0.0.1:9481). That functionality is coherent with the stated purpose. However, the skill metadata declares no required environment variables or config paths even though the SKILL.md references ZCLAW_BASE_URL / ZINIAO_ZCLAW_BASE_URL, ZCLAW_API_KEY, and ~/.zclaw/config.json as runtime inputs — this omission is inconsistent with expected capability declarations.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to: (1) perform network calls to the local bridge (GET and POST to /zclaw/tools endpoints), (2) read an API key from an environment variable (ZCLAW_API_KEY) or from the local file ~/.zclaw/config.json, and (3) retain an allowlist in session memory. The local network calls and session state are within scope. The instruction to read ~/.zclaw/config.json (a user home config file) is out-of-band relative to the skill metadata (which lists no required config paths) and could expose sensitive credentials; this access should have been declared. The skill also documents commands that may write/download files via the bridge (download_file) and fetch bridge logs (get_logs) — these are plausible for a browser-bridge skill but should be documented as they affect local data.
Install Mechanism: okThis is an instruction-only skill with no install spec and no bundled code. That minimizes disk write / remote code execution risk from the skill package itself.
Credentials: concernThe SKILL.md expects an API key and base URL via environment variables (ZCLAW_BASE_URL / ZINIAO_ZCLAW_BASE_URL, ZCLAW_API_KEY) and a local config file (~/.zclaw/config.json) as an alternative for the API key. The registry metadata, however, declares no required env vars or required config paths. Requiring access to a local config file or API key is reasonable for this functionality, but it should be declared explicitly. The undocumented expectation to read ~/.zclaw/config.json or an env var increases the chance of unexpected credential access or leakage if the skill is installed without user awareness.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide persistence. Autonomous invocation (disable-model-invocation: false) is the platform default; it is not by itself a red flag. The skill does not request modification of other skills or system settings.