clawshire-data-query
Pass
Audited by Gen Agent Trust Hub on Mar 21, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's primary function is to query financial data from api.clawshire.cn, which is the official endpoint for the service. All network activity is restricted to this domain and is necessary for the skill's described functionality.\n- [CREDENTIALS_UNSAFE]: The skill utilizes the CLAWSHIRE_API_KEY environment variable for authentication. It includes explicit instructions to the AI agent to verify the key's existence without displaying its value in the output, adhering to secret management best practices.\n- [EXTERNAL_DOWNLOADS]: The skill performs HTTP GET requests to retrieve data. These operations are limited to the vendor's infrastructure and do not involve downloading or executing external code.\n- [COMMAND_EXECUTION]: A Python script (scripts/clawshire_client.py) is used to handle API interactions. The script relies entirely on Python's standard library, avoiding third-party dependency risks, and contains no dangerous system calls, shell injection points, or privilege escalation paths.\n- [SAFE]: Indirect Prompt Injection Risk Analysis:\n
- Ingestion points: The met_link argument and the JSON response from the API processed in scripts/clawshire_client.py.\n
- Boundary markers: None explicitly mentioned in the workflow prompts in SKILL.md.\n
- Capability inventory: Network access via urllib.request inside scripts/clawshire_client.py.\n
- Sanitization: Inputs are URL-encoded using urllib.parse.urlencode before being used in API requests.\n
- Conclusion: This data ingestion surface is intrinsic to the skill's purpose and does not present a malicious risk.
Audit Metadata