zhang-cross-border-trade Security Report — Low Risk | ClawSafe

15 /100

zhang-cross-border-trade

九章跨境贸易法律专家V1.1.0 - 贸易合规、海关监管、进出口管制

Pure documentation skill with no executable code; declared capabilities are reasonable for a legal AI assistant, though data collection is enabled.

Skill Namezhang-cross-border-trade

Duration24.5s

Enginepi

✓

Safe to install

Skill is safe to use as-is. Monitor evolution system data collection. Consider pinning DeepSeek API key versions.

Findings 1 items

Severity	Finding	Location
Low	Evolution data collection enabled Doc Mismatch The metadata declares evolution.system.data_collection: true, indicating user data may be collected for model improvement. No exfiltration mechanism exists in this file. `data_collection: true` → Ensure data collection complies with privacy regulations and inform users clearly	`SKILL.md:7`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in documentation
Network	`READ`	`READ`	✓ Aligned	web_search declared in openclaw.capabilities
Shell	`NONE`	`NONE`	—	No shell operations declared or found
Environment	`READ`	`READ`	✓ Aligned	DEEPSEEK_API_KEY declared in openclaw.requires.env
Skill Invoke	`NONE`	`NONE`	—	No skill chaining documented
Clipboard	`NONE`	`NONE`	—	Not mentioned
Browser	`NONE`	`NONE`	—	No browser automation
Database	`NONE`	`NONE`	—	No database access

1 files · 1.6 KB · 65 lines

Markdown 1f · 65L

└─ 📝 SKILL.md Markdown 65L · 1.6 KB

✓ Only documentation file exists; no executable code to analyze

✓ All capabilities (reasoning, web_search, file_read) are declared in metadata

✓ No base64 payloads, obfuscation, or suspicious patterns

✓ API key requirement properly declared

✓ No credential harvesting beyond the declared API key

✓ Self-update disabled (auto_update: false) reduces supply chain risk