Skillv1.0.0

ClawScan security

geo-quickhook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 8:07 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and runtime instructions mostly match its stated pre-sales reporting purpose, but there are multiple inconsistencies and missing declarations (required environment variables, Python dependency, file-path expectations, and Feishu/send workflow) that warrant caution before installing.
Guidance: This skill implements the advertised pre-sales report, but there are some mismatches and missing declarations you should address before running it: - The SKILL.md and script require LLM_API_KEY, LLM_BASE_URL, and LLM_MODEL, but the package metadata lists no required environment variables — set these yourself only in a safe/testing environment and confirm where they are stored. - The Python script uses the OpenAI client; install and audit Python dependencies (e.g., pip install openai) before running. - SKILL.md assumes the generated HTML will be on ~/Desktop and runs a local http.server plus pkill and browser/screenshot actions. Verify the script's output location and consider running it in an isolated directory or sandbox to avoid accidental exposure of other files. - The Feishu send step uses a placeholder open-id (YOUR_FEISHU_OPEN_ID) and expects the agent/platform to have Feishu messaging configured — confirm what credentials are used and where they are stored before enabling send actions. - Because the script reuses the same LLM API key across multiple 'engines', be aware this concentrates access to a single credential; if you expect per-engine keys, configure ENGINE_MAP explicitly. Recommended actions: review the full quick_hook.py (complete file), install dependencies in a virtualenv, run locally on non-production credentials first, and request that the author update the skill metadata to declare required env vars and dependencies to remove ambiguity.

Review Dimensions

Purpose & Capability: noteThe skill claims to query multiple AI 'engines' and produce a competitive HTML card — the included Python script implements that flow and requires an LLM API (LLM_API_KEY/LLM_BASE_URL/LLM_MODEL), which is consistent with the stated purpose. However, the skill metadata declares no required environment variables while SKILL.md and the script clearly require an LLM API key and related vars.
Instruction Scope: concernSKILL.md instructs spawning a sub-agent to run a local Python script, launching a local HTTP server, reading ~/Desktop for the generated HTML, opening it in a browser, taking screenshots, and sending images to Feishu. These steps involve local process control (pkill), file-system assumptions (Desktop path), and external messaging that are broader than a simple API query flow and are not fully justified or documented (e.g., no Feishu credentials declared).
Install Mechanism: noteThere is no install spec (instruction-only), so nothing will be written automatically — lower install risk. However the code imports the OpenAI client (openai.OpenAI) but the skill does not declare Python package dependencies or provide an install step; users must manually install Python dependencies (e.g., openai package).
Credentials: concernThe runtime explicitly requires LLM_API_KEY, LLM_BASE_URL, and LLM_MODEL, but the skill metadata lists no required env vars. The SKILL.md also expects Feishu messaging (a target open-id) but does not declare any Feishu credentials or how those are supplied. The LLM key will be reused for all 'engines' unless the user configures an ENGINE_MAP, which may be unexpected.
Persistence & Privilege: notealways:false and no special platform privileges are requested. The skill asks the agent to spawn a sub-agent and to use browser/file actions to post a screenshot to Feishu — this is normal for a user-triggered tool but increases the blast radius if used with real credentials. The skill does not request permanent/always-on installation.