Issue Analysis Agent

What to consider before installing or running this skill: - Hardcoded cloud credentials: The package includes config.json and upload_cos.py that contain explicit SECRET_ID / SECRET_KEY values and a specific COS bucket (claw-1301484442). This is a serious red flag — the skill will perform network uploads using those credentials. Treat those keys as sensitive (rotate/revoke if they are real) and do not assume they are placeholders. - Data exfiltration risk: Running the full workflow (weekly_report.py or upload_cos.py) will upload generated HTML reports — potentially containing sensitive customer data — to a public COS URL. If you run this on real data, it will be posted to that external bucket unless you change the target. - Inconsistency with metadata: The skill metadata lists no required environment variables, but the code relies on embedded credentials. Prefer skills that require the operator to provide their own credentials via environment variables or an explicit configuration step instead of shipping with keys. - Recommended safe steps before use: 1. Inspect the repository locally and search for SECRET_ID / SECRET_KEY / AKID* strings. Do not run scripts before removing or replacing keys. 2. Replace hardcoded credentials: remove credentials from config.json and upload_cos.py; require the user to supply credentials via environment variables or a secure vault. Ensure the code reads credentials from env vars rather than using defaults. 3. Point uploads to your own cloud account/bucket (and use least privilege keys for upload only), or disable auto-upload entirely until reviewed. 4. Run the analysis components (analyze.py, generate_report.py) in an isolated environment first and keep generated artifacts local until you confirm upload behavior. 5. If the embedded keys are valid, consider them compromised: rotate/revoke them with the owner (if known). 6. If you need to trust this skill, ask the publisher to remove embedded secrets, document credential handling, and require explicit user-provided credentials in SKILL.md/metadata. - Additional information that would change this assessment: confirmation that the keys in config.json are deliberate placeholders (not valid credentials) and that the skill was updated to require user-supplied credentials (via env vars) or to disable auto-upload by default. If the bucket and keys are intentionally provided for a controlled internal environment and documented, risk is lower but the current packaging is still poor practice. Bottom line: the skill appears to do what it claims, but the presence of hardcoded cloud credentials and automatic public upload behavior make it suspicious and risky to run on real data without code/configuration changes and credential handling fixes.