Skill Trust Decision

doctor-check

Name: doctor-check Trust Review Report
Item: doctor-check
Rating: 55
Author: ClawSafe

SKILL.md declares API key validation and permission checks without specifying implementation details or access levels, creating a doc-to-code mismatch risk.

Install decision first Source: Manual upload Scanned: Apr 3, 2026

Files 1

Artifacts 0

Violations 0

Findings 3

Why this conclusion was reached

0/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Pass

Hidden execution and egress

No obvious high-risk egress or execution signals were found.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

Undeclared implementation +20

Skill declares 'API密钥有效性检查' without specifying how validation is performed

Ambiguous permission checks +15

'权限设置' declared but scope of permission access not specified

Implicit filesystem write +10

'锁文件清理' implies file deletion but not explicitly declared as WRITE access

Most important evidence

Medium Doc Mismatch

API key validation method unspecified

SKILL.md declares 'API密钥有效性检查' but does not specify whether keys are validated locally or by calling external services. This creates ambiguity about network access and data handling.

SKILL.md:15

Clarify whether API keys are validated locally (structure check) or externally (network request to validation endpoint)

Low Doc Mismatch

Permission check scope not declared

'权限设置' (permission settings) is declared as a check item but the scope of what permissions are checked and how is not specified.

SKILL.md:16

Specify which permission categories are checked and what constitutes a permission issue

Low Doc Mismatch

Implicit filesystem WRITE not declared

'锁文件清理' (lock file cleanup) implies the ability to delete files, constituting filesystem WRITE access, but this is not explicitly declared in the capability model.

SKILL.md:12

Explicitly declare filesystem WRITE permission if lock file cleanup involves deletion

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred UNKNOWN

SKILL.md: '锁文件清理' implies deletion capability

Environment Pass

Declared READ

→

Inferred UNKNOWN

SKILL.md: '环境检查' declared but no detail on scope

Network Pass

Declared NONE

→

Inferred UNKNOWN

SKILL.md: 'API密钥有效性' may require network access for validation

Suspicious artifacts and egress

No obvious IOC was extracted.

Dependencies and supply chain

There are no structured dependency warnings.

File composition

1 files · 53 lines

Markdown 1 files · 53 lines

Files of concern · 1

SKILL.md Markdown · 53 lines

API key validation method unspecified · Permission check scope not declared · Implicit filesystem WRITE not declared

Security positives

No actual code files present - cannot execute malicious behavior without implementation

No network requests declared (only implied via API key check)

No credential harvesting explicitly declared

No base64, obfuscation, or suspicious patterns in documentation