BP Monthly Report Writer
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for drafting BP monthly reports, but it necessarily reads internal BP/work-report data and stores local intermediate report artifacts.
Before using this skill, make sure you are allowed to access the target BP node and month, store generated artifacts somewhere protected, and inspect any helper scripts before running them. The provided artifacts do not show exfiltration, destructive behavior, or hidden persistence beyond the disclosed report files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may read BP goals, key results, standards, and linked work reports for the selected business node.
The skill expects delegated access to BP and linked report data. This is sensitive business access, but the visible instructions scope it to a confirmed period and node.
fetch the node's BP goals, key results, measure standards, and linked reports ... Ask for and confirm the `BP周期` and the `目标节点` before fetching BP data.
Use it only with an account authorized for the target BP period and node, and confirm the exact scope before allowing data fetches.
Generated folders may contain business evidence, source references, AI judgments, and user review content that should not be exposed casually.
The workflow persists evidence, judgments, cards, and reviewed reports locally. This supports auditability and rolling reports, but it can retain sensitive business context for later reuse.
Every report run must leave a folder with both the final report and the intermediate artifacts ... `03_evidence_ledger.md` ... `04_cards/` ... `07_user_review_report.md`
Store outputs in an approved location, review what evidence is retained, and delete or restrict access to artifacts when they are no longer needed.
If the helper scripts are run, the user is relying on package contents whose upstream provenance is not clear from the registry metadata.
The registry context does not provide a source homepage and lists helper scripts despite no install spec. The provided artifacts do not show automatic execution or suspicious static findings, so this is a provenance/review-context note rather than a concern.
Source: unknown; Homepage: none ... No install spec — this is an instruction-only skill ... 6 code file(s): scripts/...
Review the included scripts and run them only in an appropriate workspace; no evidence here indicates they are auto-executed.