Skillv1.0.0

ClawScan security

课件帮 Aippt · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 12:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (creating PPTs via Kejian365) but has multiple internal inconsistencies and some risky choices (undeclared required credential, credential persistence to disk, and contradictory display rules) that you should understand before installing.
Guidance: Things to consider before installing: - The code requires KEJIAN365_AUTH_TOKEN but the registry metadata does not declare this — expect to provide that env var or the script will fail. - Do NOT paste your real token directly into chat as suggested in README; prefer setting KEJIAN365_AUTH_TOKEN in a secure environment (or a scoped temporary token). Pasting into chat stores the secret in conversation history and is risky. - The helper script saves the auth token into task_state.json in the chosen work directory. If you install/use this skill, decide where work directories will live and who can access them; remove task_state.json after use if you don't want the token retained. - The SKILL.md contains contradictory rules about showing links/IDs vs. the scripts printing the view URL — confirm with the publisher how links will be handled so your tokens and raw URLs are not inadvertently exposed. - If you need stronger assurance: inspect the repository yourself, run the scripts locally with a temporary test token, or ask the publisher to (a) declare required env vars in registry metadata, (b) stop persisting auth_token to state files, and (c) avoid instructing users to paste tokens into chat. - Overall: the skill appears to implement the stated functionality, but the metadata/README/instructions mismatch and the token-on-disk behavior are meaningful risks you should address before trusting production secrets.

Review Dimensions

Purpose & Capability: concernThe code and SKILL.md clearly use the Kejian365 API and require an auth token (KEJIAN365_AUTH_TOKEN). However the registry metadata lists no required env vars or config paths — that metadata omission is inconsistent and could mislead users about what secrets are needed.
Instruction Scope: concernSKILL.md prescribes a linear workflow and instructs the agent to use the provided helper scripts rather than calling APIs directly. However the SKILL.md contains contradictory guidance: a 'HARD RULE' says NEVER show raw URLs/ppt_id/work_dir to the user, but the scripts print a view URL to stdout which the agent is instructed to parse and display (and Step 6 says to show the preview link). The instructions also require writing/reading state and params files in a workspace — the agent will read/write local files (task_state.json, params.json).
Install Mechanism: okNo install spec is present (instruction-only with small helper scripts). No external downloads or package installs are requested, which is appropriate for the described functionality.
Credentials: concernOnly one credential is needed in practice (KEJIAN365_AUTH_TOKEN), which is proportional. But that credential is not declared in the registry metadata (inconsistency). The README additionally encourages pasting your token into chat (saving it in conversation memory) which is a privacy risk and not necessary given the env-var option.
Persistence & Privilege: concernThe scripts persist state into a work directory (task_state.json) and explicitly save the auth token into that file under the key auth_token. This means the provided token can be written to disk in workspace paths (e.g., /mnt/user-data/workspace/...), potentially accessible later by other processes or skills. The skill does not request broader system privileges, but storing secrets to disk is a noteworthy persistence/privacy risk.