expert-writing-asmcp
WarnAudited by ClawScan on May 11, 2026.
Overview
The skill’s AnyShare writing workflow is mostly purpose-aligned, but it asks for cloud account access and contains unsafe instructions that can proceed without confirmation and may embed template text into generated code.
Review this skill carefully before installing. It is designed for AnyShare document writing, but you should remove or avoid the 5-minute auto-proceed behavior, ensure any generated scripts safely handle template text, and only provide an AnyShare token and documents you are comfortable using with this cloud workflow.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could generate and save a full document in the user’s AnyShare account based on an outline the user did not explicitly approve.
The skill allows正文 generation to proceed automatically after no user response, despite the workflow otherwise requiring explicit outline confirmation before calling the writing tool.
| **5分钟无响应** | **自动进入写正文环节**(不再等待) |
Require an affirmative user confirmation before正文 generation; if the user does not respond, leave the task pending instead of proceeding automatically.
A malicious or malformed template could cause commands to run on the user’s machine when the generated script is executed.
The static scan reports direct insertion of template content into generated source code. If that content is user- or provider-controlled and not escaped, it can break out of the string and run unintended Python code.
template_content = """${TEMPLATE_CONTENT}"""Do not generate executable source with raw template text. Pass template content as JSON, read it from a data file, or use safe escaping/serialization such as `json.dumps`.
Installing and using the skill gives the workflow access to the user’s AnyShare account according to the token’s permissions.
The skill requires an AnyShare access token configured in the MCP server to access document libraries and run writing APIs.
"Authorization": "Bearer <your_token_here>"
Use a least-privilege token if available, store it only in the intended config file, rotate/revoke it when no longer needed, and confirm which AnyShare libraries the token can access.
Sensitive project files may be uploaded to AnyShare and processed by the provider as part of the intended workflow.
The skill routes document-writing operations through the AnyShare ASMCP service, meaning selected project files and generated outputs are handled by that external MCP/provider endpoint.
"url": "https://anyshare.aishu.cn/asmcp/"
Only use this skill with documents you are allowed to upload to AnyShare, and verify the target document library and sharing settings before running it.