Skillv1.2.1

ClawScan security

Chinese Daily Report Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 1, 2026, 6:47 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions match its stated purpose (generate and save structured daily/weekly reports); it is instruction-only, asks for no credentials or installs, and contains no code or external endpoints.
Guidance: This skill is instruction-only and coherent with its purpose: it will ask you for your work records, generate a structured Markdown report (including required problem-replay sections), and save the file under ~/reports/daily or ~/reports/weekly in the OpenClaw workspace. Before installing, consider: 1) Do you want the agent to write files automatically into your workspace? The skill's directives require saving reports to those paths (the agent should show the report and confirm the save). 2) Review any generated report content before sharing externally (it may include sensitive project details you provide). 3) Because the skill has no code or external endpoints, there is no direct evidence of data exfiltration from the skill itself — but the agent platform may have its own network/connector permissions you should review. If you prefer not to have files auto-saved, decline or remove the skill or change the save behavior in your workspace policies.

Purpose & Capability: okName/description (自动生成日报/周报并包含问题复盘) align with the SKILL.md: it only asks the agent to collect user-provided work records, format them into a report, and save to ~/reports. No unrelated credentials, binaries, or external services are requested.
Instruction Scope: noteInstructions are focused on collecting user input, producing a structured Markdown report, and saving it under the workspace (~/reports/daily or ~/reports/weekly). This is coherent for the purpose, but the skill's mandatory system directive enforces saving to a filesystem path (the OpenClaw workspace) — users should be aware the agent will write files unless they decline or remove the skill.
Install Mechanism: okNo install spec, no code files, and no downloads. Instruction-only skills have minimal installation risk because nothing is written to disk by the skill package itself.
Credentials: okThe skill requires no environment variables, credentials, or config paths. All declared behaviors (file saves to workspace) are proportional to generating and persisting reports.
Persistence & Privilege: noteThe skill is not always:true and does not request elevated privileges. However, the included AI SYSTEM DIRECTIVE contains 'must' rules (e.g., must save reports to specific paths). This enforces persistent behavior while loaded — not inherently dangerous but worth noting for users who do not want automatic file writes.