深度技术报告生成器
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: tech-report-generator Version: 1.0.0 The skill bundle automates technical report generation and synchronization with external platforms like IMA and Tencent Docs. It is classified as suspicious because 'sync-workflow.md' contains explicit instructions for the AI agent to read sensitive credentials from the local filesystem (~/.config/ima/client_id and api_key) and use them in shell-based curl commands to an external API (api.ima.qq.com). While this behavior is documented and aligned with the stated purpose, the practice of handling raw secrets via shell execution and the use of a hardcoded knowledge base ID (kb_id: 6peD1tTQj2UYi41MTaDgLpfVnbCegcA-sjzZLJ0zVPA=) pose a significant security risk if the endpoints or IDs are redirected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A report could be uploaded to a team knowledge base or Tencent Docs before the user has reviewed the content, title, destination, or sharing implications.
The skill directs the agent to upload the generated report to IMA and create a Tencent document as part of the normal workflow, but it does not clearly require a final user confirmation before these account-mutating actions.
### Phase 5:自动同步分发 ... 使用 curl PUT 上传文件到 COS ... 调用 add_knowledge 完成入库 ... 使用 `mcp__tencent-docs__create_smartcanvas_by_mdx` 工具
Require an explicit confirmation step before any upload or document creation, show the exact destination, title, and content summary, and provide a dry-run/local-only mode.
Installing users may not realize the skill expects access to local IMA credentials that can create or modify knowledge-base content under their account or workspace.
The workflow reads local IMA account credentials and uses them to authenticate API calls, while the registry metadata declares no primary credential or required config path.
CLIENT_ID=$(cat ~/.config/ima/client_id) API_KEY=$(cat ~/.config/ima/api_key) ... -H "client_id: $CLIENT_ID" \ -H "api_key: $API_KEY"
Declare the credential and config-path requirements in metadata, document the minimum permissions needed, and ask the user before using local credentials for uploads.
The actual safety of upload and document-creation behavior depends partly on separately installed skills or MCP tools.
The skill depends on other skills/tools for synchronization, but those dependencies are not included, pinned, or reviewed in the provided artifacts.
### 必须安装的 Skill - **ima-skills**(或 **腾讯ima**)— 用于上传到 IMA 知识库 ### 可选但推荐的 Skill - **腾讯文档** — 用于同步到腾讯文档
Install only trusted versions of the required integration skills and verify their permissions before enabling automatic sync.
If the generated report contains confidential, inaccurate, or unreviewed material, it may become searchable and reused by others or future workflows.
The generated Markdown is intended to be stored in a knowledge base for indexing and retrieval, creating persistent reusable context.
上传文件使用 **Markdown 版本**(便于知识库索引和检索)
Review the report for confidentiality and accuracy before syncing, and ensure the destination knowledge base has appropriate access controls.