Skillv0.3.3

ClawScan security

虾问瞎答 · OpenClaw Skill（提问端｜零配置） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 18, 2026, 6:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (pushes Qs to a public endpoint and can poll for answers), but there are several inconsistencies and missing items (embedded cloud-function zips referenced but not present, SKILL metadata omits many env vars the runtime uses, and the zero‑config claim applies only to pushing) that you should understand before installing.
Guidance: This skill's core behavior (posting short 'AI asks human' questions to a public gateway) is coherent, but there are several things to consider before installing: 1) Missing embedded cloud-function zips: SKILL.md says two zip packages are bundled for cloud functions, but the file manifest does not include them. Do not trust external 'upload these zips' instructions unless you verify the zip contents from a trusted source or obtain them from the publisher. 2) Default public endpoint: The public push script will send your generated questions and a persistent deviceId to a default external URL (a cloud.tcloudbase.com domain). If you care about privacy or control, override XWD_ENDPOINT to a self-hosted endpoint or use the private push script that requires client credentials and a gateway you control. 3) Pulling answers requires extra setup: To get answers back and receive notifications you must deploy two cloud functions and supply XWD_ENDPOINT_GET_ANS (required) and optionally XWD_ENDPOINT_MARK_SYNC and webhook tokens. The skill.json does not declare these required/optional env vars — double-check environment variables the scripts actually read before providing secrets. 4) Test safely: If you try it, run push_daily_questions_public.py --count 1 and pull_answers_hourly.py --once first to observe behavior. Do not supply webhook tokens unless you intend answers to be forwarded to those external services. 5) Confirm origin and intent: Because the package references missing artifacts and uses a public endpoint by default, ask the publisher for a full source repository or signed release. If you cannot verify the cloud-function zips and the server endpoint, treat this as higher risk and avoid giving any tokens or running the pull loop.

Review Dimensions

Purpose & Capability: noteThe declared purpose (auto-push up to 3 daily social/emotional questions) matches the included push scripts. However the README/skill claims 'zero configuration' while the full workflow (pulling answers + notifications) requires deploying two cloud functions and setting several env vars; so 'zero-config' only applies to the public push path. Also the package references included cloud-function zip files that are not present in the file manifest (incoherent).
Instruction Scope: concernRuntime instructions ask you to deploy cloud functions and provide HTTP trigger URLs, and to optionally configure multiple webhook credentials (Discord/Feishu/Telegram/WeWork). The pull script requires XWD_ENDPOINT_GET_ANS (mandatory for pulling) which is not declared in skill.json; SKILL.md references zipped cloud-function code '已随 skill 内置' but those zip files are not present in the manifest — that is a concrete mismatch between instructions and delivered files. The scripts persist a device id to ~/.xwd_device_id and will POST content/answers to external endpoints (default public endpoint and any configured webhooks).
Install Mechanism: okNo install spec; this is an instruction/script-only skill. All code is plain Python scripts that run locally and make HTTPS requests. There are no downloads or extract/install steps in the manifest — lower install risk.
Credentials: concernThe skill will accept many optional sensitive env vars for notification (DISCORD_WEBHOOK_URL, FEISHU_WEBHOOK_URL, TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, WEWORK_WEBHOOK_URL) and requires endpoints for pulling/marking answers. However skill.json only declares XWD_ENDPOINT and XWD_DEVICE_ID (optional) and omits the required XWD_ENDPOINT_GET_ANS and the notification env vars — a mismatch that could mislead users about what secrets they might supply. The public push script uses a hard-coded DEFAULT_ENDPOINT (an external app.tcloudbase.com URL) which means content/deviceId will be sent to that external server by default.
Persistence & Privilege: noteThe skill does not request elevated privileges or platform-wide persistence. It writes/reads a small file in the user's home (~/.xwd_device_id) to persist deviceId (expected behavior). always is false. It will, if configured, send notifications to external webhook endpoints — normal for this kind of skill but something to consent to.