Skillv1.0.0

ClawScan security

Dataworks Daily Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 24, 2026, 8:02 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared metadata does not match its runtime instructions: the SKILL.md expects Alibaba Cloud credentials and a Feishu delivery mechanism (sensitive data) but the registry entry lists no required env vars or delivery credentials, and Feishu configuration is missing—this mismatch warrants caution before installing.
Guidance: This skill is plausible for DataWorks monitoring, but there are important inconsistencies and missing details you should resolve before installing: - The SKILL.md and README instruct reading ALIYUN_ACCESS_KEY_ID / ALIYUN_ACCESS_KEY_SECRET and DataWorks project/region, but the registry lists no required env vars — ask the author to update the metadata to explicitly list required secrets. - The skill plans to send reports via Feishu, but does not state how Feishu credentials/webhook/user IDs are supplied. Confirm the exact mechanism (Feishu bot token, webhook URL, or OIDC) and where those secrets are stored. - Never provide long-lived root account credentials. Use a RAM subaccount with the minimal permissions needed to call ListDagInstances/GetInstanceStatus and nothing else. - Avoid storing secrets in plaintext files like ~/.bashrc or an unencrypted openclaw.json. Prefer the platform's secret store or an encrypted config and rotate/revoke test keys after verifying behavior. - Because the skill can be invoked autonomously, ensure the keys you provide cannot be used to perform unrelated actions (enforce least privilege). Test with read-only or very narrowly scoped keys first. - Request or inspect runnable code (not just instructions) to verify how failures, recipient mentions, and report delivery are implemented and to confirm no unexpected data exfiltration occurs. If the author cannot clarify the missing Feishu configuration or update the declared env vars, treat the skill as untrusted and do not provide production credentials.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (daily DataWorks monitoring) legitimately requires Alibaba Cloud credentials (AccessKey ID/Secret) and a project/region ID — these appear in SKILL.md and README. However, the registry metadata lists no required environment variables or a primary credential, which is inconsistent. The README also references sending reports via Feishu but the skill metadata does not declare any Feishu/webhook/token requirements.
Instruction Scope: concernSKILL.md instructs the agent to read ALIYUN_ACCESS_KEY_ID, ALIYUN_ACCESS_KEY_SECRET, DATAWORKS_PROJECT_ID, and DATAWORKS_REGION_ID and to call DataWorks APIs for yesterday's range, then send reports via Feishu and '@' users on failure. The instructions do not specify how Feishu credentials or webhook URLs are provided or protected, nor do they explain precise mention/recipient handling. The README suggests storing keys in gateway config (~/.openclaw/openclaw.json) or shell rc, which could expose secrets if done insecurely.
Install Mechanism: okNo install spec or code files are included; this is instruction-only. That is a lower installation risk because nothing new is written to disk by an installer, but runtime behavior depends entirely on where credentials and delivery endpoints are configured in the agent environment.
Credentials: concernThe sensitive env vars requested by the instructions (AL IYUN_ACCESS_KEY_ID and ALIYUN_ACCESS_KEY_SECRET) are proportionate to calling DataWorks APIs, but they are not declared in the skill metadata. Also, the skill requires a Feishu delivery mechanism (token/webhook/user IDs) which is not declared at all. Advice in README to place keys into gateway config or shell rc increases risk if users store long-lived keys or use high-privilege accounts.
Persistence & Privilege: okalways is false (normal). The skill does not include install-time persistence or request system-wide configuration changes, nor does it claim to modify other skills. Autonomous invocation is allowed (platform default); combined with the above environment concerns, this increases potential blast radius but is not itself unusual.