Fastmoss Report
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s report-generation purpose is coherent, but it asks the agent to use FastMoss credentials, publish reports online, and push links to a Feishu group without enough declared scope or confirmation.
Only use this skill if you intend the agent to log into FastMoss, generate and deploy a report, and possibly send the link to a Feishu group. Remove hard-coded passwords, use your own scoped credentials, and require confirmation before publishing or sharing any report.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may log into a FastMoss account using sensitive credentials, and an embedded/shared password could expose or normalize unsafe credential handling.
The skill instructs the agent to use FastMoss login credentials and appears to include a specific password value, while the registry metadata declares no required env vars or primary credential.
FASTMOSS_ACCOUNT="" FASTMOSS_PASSWORD="" ... 密码:aaa060(每5天更换,更换日期记录在 memory 中)
Declare required credentials in metadata, remove any concrete password from the skill text, and use per-user secrets or a clearly scoped authentication flow.
A report containing business or market analysis could be made externally accessible and shared to a group before the user reviews it.
The instructed workflow publishes the report and sends the link after generation, but does not require a user preview or confirmation before external deployment or group posting.
### 5. Vercel 部署 - 部署目录格式:`fastmoss-YYYY-MM-DD` - 部署后获取 URL ### 6. 消息推送 - 发送报告链接到用户私信 - 如果 `FEISHU_GROUP_ID` 已配置,同时发送到群
Add an explicit confirmation step before Vercel deployment and before any Feishu group message, and clearly state who can access the deployed report.
Report links may be shared to a workplace chat group whose membership or permissions the user did not intend for that run.
The skill sends report links into a Feishu group based only on a configured group ID, without describing sender identity, group audience, access controls, or data-sharing boundaries.
# 飞书群ID(管理办公室群) FEISHU_GROUP_ID="" ... 如果 `FEISHU_GROUP_ID` 已配置,同时发送到群
Require per-run confirmation of the Feishu destination, document the bot/account identity used for posting, and avoid sending sensitive report links to groups by default.
Credential-related memory could be reused in later tasks or become stale if not managed carefully.
The skill proposes storing credential-rotation state in persistent memory. The stated item is the change date rather than the password itself, but it is still credential-related persistent context.
密码:aaa060(每5天更换,更换日期记录在 memory 中)
Store only non-secret rotation metadata, never store the password itself in memory, and make updates explicit and user-approved.