v1.0.0

team-quality-daily-report

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:12 AM.

Analysis

The skill matches its reporting purpose, but it deserves review because it reuses a logged-in Chrome session to read internal dashboard data and stores daily results locally.

GuidanceReview this skill before installing. It appears purpose-aligned and does not show exfiltration or destructive behavior, but it will use a logged-in Chrome session to query the configured dashboard API. Confirm the account, dashboard URL, API endpoint, local output directory, and any cron scheduling are exactly what you intend.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

dist/utils/api.js

const dataList = await page.evaluate(async (apiUrl, data) => { const res = await fetch(apiUrl, { method: "POST", headers: { "content-type": "application/json" }, body: JSON.stringify(data) });

The skill replays a captured dashboard API request from the browser context after modifying date filters. This is purpose-aligned for report generation, but it is raw API automation rather than a narrower scoped integration.

User impactThe skill can query the configured dashboard API using the browser session and save the returned metrics.

RecommendationReview the configured URL and dataAPI carefully, and verify the request is read-only and limited to the intended quality-report data.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

package.json

"dependencies": { "@bondli-skills/shared": "^1.0.0", "puppeteer": "^22.0.0", "puppeteer-core": "^22.15.0" }

The browser connection helper and automation stack come from external semver-ranged dependencies. This is expected for a Puppeteer-based skill, but users should trust those packages because they mediate browser/session access.

User impactDependency changes could affect how the skill connects to the browser or handles the logged-in session.

RecommendationPrefer installing from a trusted source with a lockfile or reviewed dependency versions, especially for the shared browser helper.

Rogue Agents

SeverityLowConfidenceHighStatusNote

README.md

## 定时自动运行（推荐）

通过 cron 每天自动生成日报

The README recommends a user-configured cron job for daily unattended runs. This is disclosed and user-directed, not automatically installed by the skill.

User impactIf the cron example is installed, the skill will repeatedly access the dashboard and write reports without a fresh prompt each day.

RecommendationOnly add the cron job if unattended access is intended, and ensure the logged-in browser session and output directory remain appropriate for recurring use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

README.md

连接已有 Chrome 浏览器（复用登录态）

The skill explicitly reuses an already logged-in Chrome session to access the configured report system. That is high-impact account/session access, and the registry metadata declares no primary credential.

User impactThe skill may access internal dashboard data using whatever account is logged into the connected Chrome profile.

RecommendationBefore installing, confirm which Chrome profile/session is used, limit the configured dashboard/API to the intended report, and run it only under an account with appropriate read permissions.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

~/openclaw-skill-data/team-quality-daily-report/YYYY-MM-DD.json
~/openclaw-skill-data/team-quality-daily-report/YYYY-MM-DD.md

The skill stores daily fetched metrics and generated reports persistently on the local filesystem. The location is disclosed and purpose-aligned, but the data may be sensitive business information.

User impactDaily team quality metrics and reports will remain on disk unless the user removes or manages them.

RecommendationStore the output directory in an appropriate location, restrict local access if the data is sensitive, and periodically delete old reports if retention is not needed.