Weekly Report Generator

This skill appears to implement GitHub-based weekly reports and does not contain obviously malicious code, but there are mismatches you should be comfortable with before installing: - The registry metadata declares no required env vars, but the code uses GITHUB_TOKEN and README/SKILL.md mention FEISHU and reminders credentials. Treat this as an omission and assume you must provide a token for private repo access. - The SKILL.md/README reference additional source files (calendar/reminders collectors) that are not included. The missing files may mean some integrations won't work or the package is incomplete. - The script uses dotenv and will load a local .env if present — ensure your .env does not contain unrelated secrets you don't want the skill to read. Steps to reduce risk: - Inspect the included scripts/generate-report.mjs yourself (or have a developer do so) to confirm where network calls are sent (GitHub API is expected). Look for any hard-coded remote endpoints beyond api.github.com. - If you must provide a GITHUB_TOKEN, create a token with the minimum scopes required (public_repo or repo scope as needed), or use a read-only token / throwaway account if you want to test. - Run the skill in dry-run mode first and with GITHUB_TOKEN unset to verify behaviour without exposing credentials. - Ask the publisher for the missing source files or a project homepage and verify the author (fx-world888) before providing any private credentials. Given the inconsistencies (undeclared env vars, missing modules), I mark this as suspicious rather than benign; these could be harmless packaging oversights but deserve verification.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.