Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Merge Drafts
v1.1.0Intelligent draft merging tool with quality assessment and conflict resolution. Merges multiple drafts into a high-quality article, supporting multiple input...
⭐ 2· 143·0 current·0 all-time
byJialin@0xcjl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (merge drafts, quality assessment, conflict resolution) align with the SKILL.md workflow: parsing inputs, evaluating, detecting conflicts, merging and producing outputs. Accepting local files, pasted text, URLs and Feishu doc links is reasonable for this purpose. Minor inconsistency: the skill advertises support for producing Feishu documents as an output format but provides no environment variables, credentials, or instructions for authenticating to Feishu (writing to Feishu normally requires auth), which is unexplained.
Instruction Scope
The runtime instructions are narrowly scoped to tasks needed for merging drafts: input parsing (local files/URLs/Feishu/public links), per-document evaluation, conflict detection, choosing a base draft, semantic fusion, minimal polishing, and producing outputs/reports. The skill instructs reading files (including analysis.md in the same directory) which is appropriate for the task, but callers should be careful to supply only intended file paths — the skill will process whatever paths/links the user supplies. There are no instructions that attempt to read unrelated system configuration, secrets, or broad system state.
Install Mechanism
Instruction-only skill with no install spec and no code files; this minimizes disk-write/install risk. The scanner had no code to analyze, so there is no install-time risk from downloaded artifacts.
Credentials
The skill declares no required environment variables or credentials, which is appropriate for many merging tasks. However, it claims both input (Feishu doc links) and output support for Feishu documents. Reading publicly shared Feishu links can work without credentials, but producing/writing Feishu documents typically requires authentication and API tokens. The SKILL.md does not declare required env vars (e.g., FEISHU_TOKEN) or explain how Feishu output is to be performed, so the capability/credential pairing is inconsistent and unexplained.
Persistence & Privilege
No persistence or elevated privileges requested. always is false and there are no install hooks or system-wide changes mentioned. The skill does not ask to modify other skills' configs or to enable permanent agent-wide hooks.
What to consider before installing
This skill appears to be a focused draft-merging workflow and poses low intrinsic install risk because it is instruction-only and requests no credentials. Before installing or using it: 1) confirm how Feishu output is supposed to work — if you expect the skill to write documents to your Feishu account, ask the author how authentication is handled and whether any API tokens will be requested; 2) when supplying local file paths, avoid passing system or sensitive files — the skill will process whatever files you give it; 3) test the skill with non-sensitive sample drafts to verify outputs and that conflict-handling behaves as described; 4) if you need Feishu writing, prefer a skill that explicitly declares required credentials and an install/auth flow rather than relying on unclear instructions. If the author can clarify Feishu write behavior (or remove Feishu output claims), the inconsistencies would be resolved and the skill would be closer to benign.Like a lobster shell, security has layers — review code before you run it.
draftsvk976ptxatyztm46xjeart0xbxs834t15latestvk97f82fckqt80f13an44zctz4s839tf8mergevk976ptxatyztm46xjeart0xbxs834t15writingvk976ptxatyztm46xjeart0xbxs834t15
License
MIT-0
Free to use, modify, and redistribute. No attribution required.