Skillv1.0.0

ClawScan security

Project Watcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 28, 2026, 1:33 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Files and runtime instructions are consistent with a roadmap + Git commit notification skill that posts commit info to Feishu; nothing in the bundle appears to perform unexpected data exfiltration or privileged system changes.
Guidance: This skill is coherent with its description but review and control how you provide credentials and install hooks before using it: - send_card.py will send git commit metadata (repo, branch, short hash, commit message) to Feishu. You must supply FEISHU app_id/app_secret (via env vars FEISHU_APP_ID/FEISHU_APP_SECRET or by editing configs/feishu.json). Do not commit real secrets to repos. - The post-commit hook will run only if you put scripts/post-commit-hook.sh into .git/hooks/post-commit. Installing hooks is a manual action — don't copy hooks from untrusted code without review. - Example configs/projects.yaml references an SSH private key path. This repository does not use that key, but if you extend the skill to perform remote deploys, avoid placing private keys in project repos or shared config files. - Confirm the Feishu app has only the scopes you expect and that you trust the receive_id/open_id being used. Consider creating a dedicated Feishu app account with limited permissions for notifications. - If you need higher assurance, inspect send_card.py yourself; it uses the official Feishu endpoints and no obfuscated code was found. Given these checks, usage is reasonable. If the registry metadata should have declared required env vars, ask the publisher to update it before installing to avoid surprises.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match its code and instructions: it manages a roadmap and sends git commit notifications to Feishu. Minor mismatch: registry metadata lists no required environment variables, but the code and SKILL.md expect Feishu credentials (app_id/app_secret) provided via env vars or configs/feishu.json.
Instruction Scope: okSKILL.md instructs creating and updating ROADMAP.md and optionally installing a post-commit hook. The included post-commit hook and send_card.py only gather basic git metadata (branch, short hash, commit message, repo name) and POST to the official Feishu open-apis endpoint — scope matches the described notification purpose.
Install Mechanism: okNo install spec; this is instruction-only with small helper scripts included. Nothing is downloaded or executed automatically by an installer, so disk writes and execution are under user control (you must place the hook manually).
Credentials: noteThe only required secrets in practice are Feishu app_id/app_secret (env vars or configs/feishu.json). The example projects.yaml references an SSH key path for remote_deploy (sensitive), but no code in this bundle reads or uses that SSH key. Be aware the skill encourages storing Feishu credentials in configs/feishu.json or env vars — the metadata not listing env requirements is an inconsistency to notice.
Persistence & Privilege: okalways is false and the skill does not request system-wide persistence or modify other skills. The post-commit hook runs only if you install it into a repository's .git/hooks; there is no automatic global installation.