v0.1.5

知识沉淀引擎

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:33 AM.

Analysis

This skill matches a daily knowledge-archiving purpose, but it reads private notes, chat history, and local credentials, then writes full reports to hard-coded Feishu/Get locations while partly describing the workflow as read-only.

GuidanceOnly install this if you intend this exact workflow to read your Get notes, OpenClaw conversation history, and configured Get/Feishu credentials, and if the hard-coded Feishu folder and OpenID belong to the person/account you expect. Review the destination, permissions, and generated report before allowing uploads or access grants.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

所有外部 API 调用均为只读请求 ... POST https://openapi.biji.com/open/api/v1/resource/note/save ... curl -X POST ... /docx/v1/documents ... perm: full_access

The safety text says external API calls are read-only, but the workflow later saves Get notes, creates Feishu documents, and grants document permissions.

User impactA user may install it believing the external calls only read data, while the agent can actually create documents, archive content, and change access permissions.

RecommendationCorrect the safety description, clearly list all write/share operations, and require explicit user confirmation before creating documents or granting access.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

用 `exec` + `curl` 在共享文件夹中创建文档 ... curl -X POST ... open-apis/docx/v1/documents ... 赋予张公子 `full_access` 权限

The skill uses raw shell/curl through `exec` for Feishu document creation and permission mutation rather than only using bounded Feishu tools.

User impactIf the workflow runs with the wrong inputs or account context, it can create and share cloud documents without a narrow tool boundary.

RecommendationUse scoped Feishu tools where possible, avoid raw curl for mutating operations, and add user approval before each external write or permission change.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

_meta.json

"version": "0.1.4"

The packaged metadata version differs from the supplied registry/SKILL version 0.1.5, and the skill also relies on undeclared local commands such as `getnote` and `curl`.

User impactVersion or dependency mismatches make it harder for a user to verify exactly what workflow they are installing.

RecommendationAlign packaged metadata with the registry version and declare required binaries/tools and credential prerequisites.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

从 `~/.openclaw/openclaw.json` 读取 `skills.entries.getnote.apiKey` 和 `skills.entries.getnote.env.GETNOTE_CLIENT_ID` ... app_secret ... tenant_access_token/internal

The workflow reads local credential material and uses a Feishu tenant token for document and permission operations, despite the registry metadata declaring no primary credential or required config path.

User impactThe agent would handle powerful account credentials and tenant-level authorization material, which could affect Get note and Feishu data if misused.

RecommendationDeclare the required credentials/config paths, use least-privilege scoped tokens, avoid passing secrets as command-line arguments, and show the user exactly which account will be used.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityHighConfidenceHighStatusConcern

SKILL.md

文件夹 token `FQfXfYBGGllxxydJ1SgcJZWqnpf` ... content: 【必须写入完整简报全文】 ... member_id: `ou_d8ace8a146610ca26bc07d8e68a5620f`, perm: `full_access`

The generated full report is sent to a hard-coded Feishu folder and access is granted to a hard-coded OpenID, creating unclear recipient and tenant boundaries.

User impactPrivate notes, conversation-derived summaries, and behavioral analysis could be placed in a Feishu location or shared with a person the installing user did not intend.

RecommendationRemove hard-coded folder/user IDs, require user-configured destinations, display the destination before upload, and let the user choose whether to grant access.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

sessions_history 读取符合条件的 session 内容 ... 深度分析用户学习、感悟、工作状态 ... 写入本地文件 ... 三端同步归档

The skill intentionally converts private session content into persistent daily summaries and profile-style analysis across local and cloud archives.

User impactThe resulting archive may preserve sensitive or incorrect interpretations of the user's work, learning, and personal state.

RecommendationReview generated reports before syncing, limit included conversation content, and define retention/deletion expectations for local, Get note, and Feishu copies.