ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

YTLong Daily Report

v1.0.0

Automatically generate daily/weekly work reports from git commits, calendar events, and task lists. Use when you need to quickly create professional work rep...

0· 277·0 current·0 all-time
by@1989tianlong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and the description claim aggregation from git, calendar, and task managers (Google/Apple/Apple Reminders). The shipped index.js implements only git commit collection and report generation; there is no calendar or task integration code. This is a clear mismatch between claimed capabilities and actual implementation.
!
Instruction Scope
Runtime instructions tell the user to run node index.js and create .reportrc.json. The program reads .reportrc.json and executes shell commands via execSync: it constructs a command string containing the configured repo path and runs cd "<repo>" && git log ... via the shell. Because repo paths are interpolated into a shell string, a malicious or malformed repo entry in .reportrc.json can cause shell command injection. The script also writes report files to the current working directory (report-<since>.md).
Install Mechanism
No install spec is provided (instruction-only skill plus included Node files). package.json is present but there are no external dependencies and installation is standard npm install. Nothing is downloaded from unknown hosts during install.
Credentials
The skill declares no required environment variables or credentials, which matches the code. However SKILL.md mentions optional calendar access (Google/Apple) without specifying how credentials would be provided; since no calendar code exists, there is currently no handling of OAuth tokens or secrets — this inconsistency should be clarified before trusting calendar/task features.
Persistence & Privilege
The skill does not request persistent 'always' presence, does not modify other skills or global agent settings, and only writes a report file to the working directory. No elevated platform privileges are requested.
What to consider before installing
The skill claims it aggregates git, calendar, and tasks, but the code only reads git commits — treat calendar/task features as unimplemented. Before installing or running: (1) review .reportrc.json and only include trusted local repo paths — untrusted paths can lead to shell injection because the code embeds repo strings into a shell command; (2) prefer to run the script in a non-sensitive directory and inspect the generated report file; (3) if you need calendar/task integration, request clarification or an updated version that implements and documents secure OAuth handling; (4) consider patching the code to avoid execSync string interpolation (use child_process.spawn with argument arrays or validate/sanitize repo paths) to eliminate command-injection risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk976967hth1p95553s7kfg8k6n82bazs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments