Skillv1.1.0

ClawScan security

语雀 Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 8:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match a Yuque client, but the package metadata does not declare the required credential or clearly-describe the automatic invocation behavior described in SKILL.md — users should review credentials, filesystem effects and destructive commands before installing.
Guidance: This skill is a coherent Yuque API client (scripts to list/get/create/update/delete docs, manage TOC, format Markdown, and do bulk import/export). Before installing: - Be aware it requires your Yuque API token (YUQUE_TOKEN) or a ~/.yuque/config.json; the registry metadata does not declare this, so you must provide the token manually if using the scripts. - Inspect scripts (they are included) — batch.py and toc.py can delete or update many documents; use dry-run options and backups (SKILL.md even recommends exporting/backing up before bulk changes). - Consider scoping the token (minimum scopes: doc:read/doc:write/repo:read/repo:write) and use a token dedicated to the skill (not a broad org admin token). - Note the SKILL.md's instruction to 'proactively call' the skill on any mention of Yuque: if you do not want the agent to autonomously run these scripts when users merely mention Yuque, ensure agent/plugin invocation rules prevent automatic execution or disable autonomous invocation for this skill. If you want to proceed: set YUQUE_TOKEN in the environment (or place a properly-permissioned ~/.yuque/config.json), test with `python scripts/yuque_client.py whoami`, and for any bulk operation run with dry-run / backups first.

Review Dimensions

Purpose & Capability: concernThe skill's name/description (Yuque client: CRUD, TOC, format helpers, batch import/export) matches the included scripts. However the skill metadata lists no required environment variables or primary credential while SKILL.md and the code clearly require a YUQUE_TOKEN (or ~/.yuque/config.json). That mismatch between declared requirements and actual needs is an incoherence that could mislead users about what secrets the skill needs.
Instruction Scope: concernSKILL.md instructs the agent to run the bundled Python scripts (scripts/*.py) and to proactively call the skill whenever the user mentions '语雀' even without an explicit 'use skill' phrase. The scripts legitimately read/write local files (batch export/import writes/reads Markdown files), read ~/.yuque/config.json, and perform destructive actions (toc.py remove defaults to deleting underlying docs; batch.py replace can update many docs). The scope is generally consistent with the stated purpose, but the proactive/autonomous-invocation guidance plus destructive operations raise safety concerns if triggered unexpectedly.
Install Mechanism: okNo install spec is present (instruction-only for Openclaw) and the code is pure Python using only the standard library (urllib). There's no external download or installer. This lowers supply-chain risk; however the skill will execute local Python scripts when invoked.
Credentials: concernThe skill legitimately requires an API token (X-Auth-Token / YUQUE_TOKEN) and optionally a custom base_url for private deployments; the code also reads ~/.yuque/config.json. But the registry metadata declares no required env vars or primary credential. The skill asks for a sensitive secret (API token) — that is proportionate to the purpose — yet failing to declare it in metadata is a visibility/permission mismatch that may cause users to overlook the credential access.
Persistence & Privilege: concernMetadata flags show always:false (correct for most skills) and model invocation is allowed (normal). However SKILL.md explicitly instructs the agent to invoke the skill proactively on any mention of Yuque, which implies near-automatic invocation; this intent is not reflected in metadata (no always:true), creating an inconsistency. Combined with the ability to perform destructive writes (delete docs, update many docs), this raises the potential for unintended actions if the agent autonomously calls the skill.