Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
自动周报助手
v1.0.0自动整理周报工具。支持从多个数据源(GitHub、飞书文档、日历)汇总工作内容,生成Markdown周报。支持保存历史、AI摘要、导出PDF/HTML、发送邮件、写入飞书文档。适用于需要定期总结工作成果的用户。
⭐ 0· 94·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name/description match the included scripts: GitHub, Feishu, calendar fetching, report generation, PDF/HTML export, email sending, and local history management. However, the registry metadata declares no required environment variables/credentials while the SKILL.md and the scripts clearly require secrets (GitHub token, Feishu token, SMTP credentials or Google credentials file). That mismatch is an inconsistency (likely metadata omission) but not evidence of malicious behavior.
Instruction Scope
Runtime instructions and scripts operate within the expected scope: they call GitHub/Feishu/calendar APIs and write reports to ~/.weekly-report/history/. They do not call unknown external endpoints. A notable operational detail: the SKILL.md and sample commands suggest passing tokens/passwords on the command line, which can leak to shell history and process listings; the Google calendar path expects a local credentials file. Also check the code quality issues (e.g., a couple of datetime.timedelta references that will raise errors) before automated scheduling.
Install Mechanism
This is an instruction-only skill with bundled scripts and no install spec that downloads remote code. No external installers or unpacking from arbitrary URLs are used, so installation risk is low. The code imports external Python packages (requests, PyGithub, googleapiclient), so you must ensure a safe runtime environment with those dependencies.
Credentials
Although the registry metadata lists no required environment variables, the scripts require sensitive credentials (GitHub personal access token, Feishu access token, Google credentials file, SMTP username/password). Those credentials are reasonable for the described integrations, but the metadata omission is misleading. Also, passing sensitive secrets on command line arguments (examples in SKILL.md) can expose them via process listings or shell history — a privacy risk to consider.
Persistence & Privilege
The skill writes report files and metadata into its own user-scoped directory (~/.weekly-report/history/) which is appropriate for its purpose. It does not request always:true, does not modify other skills, and does not attempt to change system-wide agent settings.
Assessment
This skill appears to do what it claims, but review these before installing/using: 1) Credentials: the scripts require GitHub/Feishu/SMTP/Google credentials even though the registry metadata lists none — supply tokens securely (prefer environment variables or a secrets store, not raw CLI args) and avoid embedding passwords in shell history. 2) Local storage: reports and metadata are saved under ~/.weekly-report/history/ — check permissions and clean sensitive contents if needed. 3) Dependencies: ensure Python packages (requests, PyGithub, googleapiclient) and optional tools (pandoc, xelatex) are installed in a controlled environment. 4) Bugs: there are minor code bugs (incorrect datetime.timedelta usage in history_manager) you may want to fix before automated runs. 5) Least privilege: create and use scoped API tokens (short-lived or limited-permission tokens) and revoke them if you stop using the skill. If you want, I can point out exact lines to change for safer credential handling or help produce hardened example usage (env var approach, prompting for secrets, file-permissions).Like a lobster shell, security has layers — review code before you run it.
latestvk9776p109hzpg4fr6ctd0jc5vn838xcm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.