Sop Extractor
ReviewAudited by ClawScan on May 17, 2026.
Overview
This skill’s main purpose is coherent, but it can generate persistent skills that later store credentials and auto-install unpinned tools, so users should review it carefully before use.
Only use this skill if you are comfortable reviewing the generated skill before it is saved. Do not provide real passwords or broad database credentials unless the generated workflow clearly needs them and uses least-privilege storage. Before running any generated skill, check whether it will install packages or write credentials, and require manual confirmation for those steps.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated workflow could ask for and save passwords, API URLs, or database credentials in local environment/profile files, making them available to later agent sessions.
The credential flow asks users to provide service/database/mail secrets and persist them for future use. This is sensitive authority, and it is not clearly declared in metadata; it also conflicts with the main SKILL.md safety statement that says not to request passwords/keys.
用户提供 → 写入环境变量 ... 成功则永久可用 ... EMAIL_PASS=应用专用密码 ... DB_USER(建议只读账号)/ DB_PASS
Require explicit approval before collecting or storing credentials, declare credential types, prefer secret managers or scoped app tokens, use least-privilege/read-only accounts, and avoid writing secrets to shell profiles automatically.
Using a generated skill later could install new software on the user’s machine without enough review of the package source or permissions.
The generated skill template instructs future skills to automatically install unspecified pip or apt dependencies at runtime, without a reviewed install spec, package pinning, or clear user approval.
缺失时处理:`pip install xxx` 或降级为人工模式 ... 工具未安装 | 自动尝试安装(pip install / apt install)
Generate explicit dependency manifests, pin package versions, require user confirmation before installation, avoid privileged OS package installs by default, and provide manual setup alternatives.
Future agent sessions may reuse the saved process details, so internal procedures, business rules, or confidential context could persist locally.
The skill intentionally stores user-provided workflow details and tacit workplace knowledge as persistent skill instructions after confirmation. This is purpose-aligned, but the saved content may include sensitive internal process information.
用用户原话,隐性知识单独成章 ... 展示给用户确认后写入 skills 目录
Review the generated workflow before saving, remove secrets or sensitive client/business details, keep triggers narrow, and update or delete outdated generated skills.
The agent may inspect local configuration while deciding which tools can automate a workflow.
The tool-discovery guide includes reading local agent configuration and installed skill files. This is relevant to discovering automation capabilities, but those files may reveal local tool/server configuration details.
cat ~/.hermes/config.yaml | grep -A 20 "mcp" ... ls ~/.hermes/skills/*/SKILL.md
Ask before reading local config files, avoid displaying or storing secrets from those files, and redact tokens or private endpoints if they appear.