Pharmaceutical Bidding
ReviewAudited by ClawScan on May 10, 2026.
Overview
The bidding-collection purpose is mostly coherent, but the skill needs Review because helper code reads OpenClaw/WeChat configuration secrets and can print sensitive tokens while also setting up automatic WeChat Work updates.
Review and edit the WeChat/OpenClaw configuration helpers before installing. Avoid printing tokens or EncodingAESKey values, restrict the WeChat Work app/webhook to the minimum permissions, test with a non-production table, and only enable the daily scheduler once you are comfortable with the automatic updates.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the validation helper could reveal WeChat/OpenClaw secrets in terminal output or logs, increasing the risk of workspace or message-channel compromise.
The helper searches for a global OpenClaw config file and prints WeCom callback secrets to the console. This credential exposure is not declared in metadata and is broader than the main bidding-collection task.
configPath = path.join(__dirname, '..', '..', 'openclaw.json'); ... console.log(' - Token: ' + wechatConfig.token); console.log(' - EncodingAESKey: ' + wechatConfig.encodingAesKey);Do not run the global WeCom validation helper unless needed; remove secret printing, mask tokens/keys, and restrict the skill to its own config file.
Incorrectly scraped or evaluated bidding data could be pushed to team channels or tables and influence sales decisions.
The skill automatically posts collected bidding information to WeChat Work messages and optionally writes to a smart table. This matches the stated purpose, but it mutates a business workspace without per-record confirmation.
await this.wechatAPI.sendMarkdown(markdownContent); ... if (this.config.wechatWork.smartTableId) { await this.wechatAPI.recordToSmartTable(record); }Use a test webhook/table first, limit the WeChat Work app’s permissions, and review early outputs before enabling production posting.
The process may continue running and posting updates automatically each day until stopped.
When started, the script both schedules a daily 8:30 task and immediately runs the workflow once. This persistence is disclosed by the skill, but users should be aware it keeps operating after startup.
cron.schedule('30 8 * * *', async () => { ... await this.executeFullWorkflow(); }); ... collector.executeFullWorkflow().catch(console.error);Run it under a supervised service account, confirm the schedule is desired, and document how to stop or disable the cron/scheduler.
Installing the skill will fetch and execute normal npm package installation behavior that is not reflected in the registry requirements.
The registry says there is no install spec, but the README instructs users to install Node dependencies. This is expected for the included JavaScript code, yet the setup requirements are under-declared.
cd skills/pharmaceutical-bidding npm install
Review package.json/package-lock.json before installing, use a locked dependency install, and run the skill in a restricted environment.