Fund Report Processor
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its fund-report automation purpose, but it embeds and persists Bitwarden master access for unattended mailbox processing, which is a serious credential-safety issue.
Do not install or run this skill as-is. Rotate the exposed Bitwarden and email credentials, remove plaintext secrets and persistent vault sessions, review the missing/omitted runner code, and only use a version that requires explicit approval with a scoped mailbox credential and clear data-retention controls.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill files could learn or abuse vault access, and the agent can retrieve mailbox credentials without prompting the user.
The source embeds a concrete Bitwarden account and master password, then uses them to unlock the vault and retrieve the work-email username/password.
self.email = "1718...@qq.com"; self.master_password = "[plaintext value]" # 从永久记忆中获取
Treat the exposed Bitwarden and email credentials as compromised, rotate them, remove all plaintext secrets from the package, and require explicit user-provided credentials or a scoped secret manager integration.
A persistent memory or session-file leak could expose long-lived access to the password vault and downstream financial email account.
The guide explicitly places the vault master password in persistent agent memory and reuses a saved Bitwarden session file across runs.
已保存在永久记忆 (MEMORY.md) 中: ... 主密码: [redacted] ... 保存会话到 `~/.bw-session`
Do not store master passwords in agent memory; use short-lived user approval, OS keychain/secret storage, and clear session expiration and revocation steps.
The agent could continue accessing email and generating financial outputs on a schedule after the user has stopped actively supervising it.
The skill is designed for unattended scheduled execution while also automatically unlocking credentials and processing mailbox data.
crontab 配置 0 9 * * * cd /path/to/skill && python3 zero_interaction_runner.py
Require an explicit opt-in for scheduling, document how to disable it, avoid stored master credentials, and add run-time confirmations or least-privilege scopes for sensitive actions.
The skill may read more mailbox content than a user expects for a report extractor, especially when run unattended.
Batch mode searches all messages in the selected folder and fetches full email contents before filtering for fund-report subjects.
result, data = mail.search(None, 'ALL') ... mail.fetch(email_id, '(RFC822)')
Restrict IMAP searches to a dedicated folder, sender, subject, or date range, and ask for confirmation before bulk historical mailbox processing.
Credential handling may depend on unreviewed or environment-supplied code, increasing the chance of unsafe behavior or installation surprises.
A high-impact credential-loading helper is referenced by the source but is not included in the provided manifest, so that credential path is not reviewable and could resolve to unexpected local code.
from bitwarden_loader import load_fund_credentials
Include all credential-handling helpers in the package, pin dependencies, remove stale install references, and ensure the manifest matches the code actually executed.
Users may trust the skill's security posture and run it with sensitive accounts without realizing credentials are embedded in the package.
The user-facing description claims hardcoded passwords are avoided, but the included Bitwarden manager hardcodes a plaintext vault master password.
🔒 安全管理: 集中化凭据管理,避免硬编码密码
Correct the documentation, disclose the credential model plainly, and remove the hardcoded master password before distribution or use.