蜂兵虾将
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s core idea is coherent, but it asks the agent to build persistent user profiles and perform scheduled/background work with unclear user controls.
Review this skill before installing if you do not want long-term user profiling, persistent workflow memory, scheduled reports, or background preparation. If you use it, keep sensitive personal, financial, medical, customer, or business-confidential data out of the workflow unless retention and deletion behavior are clarified.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be expected to act or prepare reports on a schedule rather than only when explicitly asked.
The skill advertises scheduled autonomous reporting and unattended execution, but the artifacts do not clearly define how the user starts, stops, limits, or audits this background behavior.
自动执行不用盯。每天上午10点、下午4点自动打报告
Require explicit opt-in for any scheduled/background behavior, document how to disable it, and keep user confirmation mandatory for meaningful actions.
The agent could take more steps automatically over time because it learned that the user often skips confirmations.
The adaptive strategy reduces confirmation based on observed user behavior. This can be useful, but it weakens approval boundaries without clearly specifying which actions still require explicit confirmation.
跳过率 > 60% | 减少确认步骤
Keep explicit approval for publishing, account changes, purchases, file deletion, persistent memory changes, and any irreversible or public action.
Personal preferences, behavior patterns, task history, and generated work products may persist and influence future outputs.
The skill stores user profiles and multi-layer memory, including permanent workflow retention, but does not clearly describe retention controls, deletion, isolation between tasks, or what user data should be excluded.
用户画像 | 记录用户交互偏好 ... module4 ... retention: "永久" ... memory: { enabled: true, layers: ['L0', 'L1', 'L2', 'L3', 'L4'] }Before installing, decide what information may be stored; the skill should add clear memory scope, retention limits, deletion commands, and sensitive-data exclusions.
Information supplied for one module may be visible to other modules in the workflow.
Passing outputs among agents is expected for this multi-agent workflow, but it means information gathered or generated in one module can be reused by later modules.
模块1-4有序执行 ... 需要接收模块1-3的完整输出
Avoid giving the skill confidential data unless you are comfortable with it being reused across the whole workflow and stored in memory.
It may be harder to verify where the code came from or whether updates are trustworthy.
The registry metadata does not identify a source repository or homepage, while the package includes runnable JavaScript/package files. This is a provenance gap, not proof of malicious behavior.
Source: unknown; Homepage: none
Only run the included npm scripts or install.sh after reviewing the package source and confirming it came from a trusted publisher.
Users may rely too heavily on automated trend or business advice, especially in sensitive areas like finance or healthcare.
The skill uses strong money-making and effort-reduction claims. This is marketing language, but it may encourage over-trust in automated analysis and recommendations.
让AI替你干活,你躺着赚钱!
Treat outputs as drafts or research aids, and independently verify facts and business, medical, financial, or legal conclusions.