ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Report Generator

v1.0.0

Automated sales and performance report generator for retail store managers. Generates daily, weekly, and monthly reports from POS/ERP data. Highlights anomal...

0· 58·0 current·0 all-time
by@fangwei-frank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to pull POS/ERP data and deliver reports to channels (WeCom/Telegram). However, it declares no required environment variables, credentials, or config paths. A report generator legitimately needs connectors and auth for POS/ERP and delivery channels; those are not declared or provided.
!
Instruction Scope
SKILL.md instructs the agent to run scripts (e.g., scripts/generate_report.py --period ...) and references a data-connectors.md file, but neither the scripts nor data-connectors.md appear in the package. It also refers to a runtime `report_config` (sources, delivery_channel, recipients) without specifying how that config is created or secured. These gaps mean the instructions assume external files/configs that are not present and give the agent broad, unspecified discretion about data sources and recipients.
Install Mechanism
Instruction-only skill with no install spec and no bundled code reduces supply-chain risk. Nothing is downloaded or executed from external URLs by the skill package itself.
!
Credentials
No environment variables or primary credential are declared, yet the skill requires access to POS/APIs and delivery channels which normally need API keys/tokens. The absence of declared secrets is disproportionate to the claimed functionality and leaves unclear where credentials must live and how they're protected.
Persistence & Privilege
always is false and the skill does not request persistent system changes. It does mention scheduled automatic delivery, but provides no mechanism for establishing schedules or persistent agents; that scheduling behavior is ambiguous but not a declared privilege escalation.
What to consider before installing
Do not install blindly. Before using, ask the publisher for: (1) the missing data-connectors documentation and the actual scripts (scripts/generate_report.py) that the SKILL.md references; (2) a clear list of required credentials (POS/ERP API keys, WeCom/Telegram tokens) and guidance for storing them securely; (3) explanation of how scheduled delivery is implemented and who can change recipients. If those are not provided, treat the skill as non-functional and avoid giving it access to production credentials or sensitive data. Test in a sandbox with fake data and minimal delivery targets first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ajjbez1vtbs34acz512ahx583fkss

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments