中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
reviewlens
评论透镜 - 把海量商品评论压成结论卡,告诉你真实买家反复在夸什么、骂什么,谁适合买,谁容易踩坑
ReviewLens is a benign review-intelligence skill that analyzes Chinese e-commerce marketplace reviews into decision cards. The single shell script (publish.sh) is a standard clawhub CLI publishing utility with no malicious patterns.
Skill Namereviewlens
Duration37.1s
Enginepi
Safe to install
Approve for use. The skill performs only declared read-only review analysis with no hidden functionality.
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✓ Aligned SKILL.md:288 — reads reference/*.md files for review heuristics
Network NONE READ ✓ Aligned SKILL.md:296-300 — browser inspects public review tabs only
Shell NONE NONE scripts/publish.sh runs clawhub CLI for publishing, fully declared and documente…
Environment NONE NONE No environment variable access detected in any file
Clipboard NONE NONE No clipboard access found
Browser READ READ ✓ Aligned SKILL.md:296-300 — browser workflow only for public review tab inspection
Database NONE NONE No database access found
Skill Invoke NONE NONE No inter-skill invocation found

File Tree

9 files · 26.1 KB · 823 lines
Markdown 6f · 730L Shell 1f · 66L JSON 1f · 23L YAML 1f · 4L
├─ 📁 agents
│ └─ 📋 openai.yaml YAML 4L · 466 B
├─ 📁 references
│ ├─ 📝 example-prompts.md Markdown 41L · 1.3 KB
│ ├─ 📝 fit-mismatch.md Markdown 78L · 2.1 KB
│ ├─ 📝 review-signals.md Markdown 85L · 2.9 KB
│ └─ 📝 verdict-cards.md Markdown 68L · 1.9 KB
├─ 📁 scripts
│ └─ 🔧 publish.sh Shell 66L · 1.9 KB
├─ 📋 clawhub.json JSON 23L · 538 B
├─ 📝 RELEASE.md Markdown 133L · 3.1 KB
└─ 📝 SKILL.md Markdown 325L · 11.8 KB

Security Positives

✓ No credential harvesting — skill never accesses environment variables, SSH keys, AWS configs, or .env files
✓ No network exfiltration — no outbound data transfer beyond intended clawhub publish command
✓ No obfuscation — no base64, eval, atob, or anti-analysis patterns anywhere in the codebase
✓ No remote script execution — no curl|bash, wget|sh, or similar download-and-execute patterns
✓ Clear safety boundary — SKILL.md explicitly forbids login, posting reviews, or placing orders
✓ Shell script is a simple publishing utility — uses set -eu for strict error handling, copies files only, no network abuse
✓ No supply chain risk — no package dependencies, no requirements.txt, no unpinned pip installs
✓ Strong doc-to-code alignment — SKILL.md declarations match implementation exactly
✓ No sensitive file access — never touches ~/.ssh, ~/.aws, or similar credential paths
✓ Intent is transparent — skill is purely a review-analysis text-processing tool