ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Report

v1.0.3

Configure custom recurring reports. User defines data sources, skill handles scheduling and formatting.

2· 1.2k·6 current·6 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (recurring reports, scheduling, formatting) align with required actions: creating ~/report/, storing config/data, scheduling jobs, rendering formats, and delivering via channels. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md explicitly reads/writes under ~/report/, manages cron-scheduled jobs, and can POST to webhooks / send to Telegram / email. That is within reporting scope, but the skill will deliver report content to external endpoints configured by the user — verify each destination is trusted before configuring it. The instructions also reference a 'browser action=pdf' step (headless browser) which implies the agent environment must provide a PDF-rendering capability.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk delivery mechanism. It does not download or install external packages.
Credentials
No required environment variables or credentials are declared; API keys are optional and explicitly user-provided (examples: STRIPE_API_KEY, GITHUB_TOKEN). The declared metadata shows optional USER_PROVIDED_API_KEYS. Requested env usage is proportional to the stated purpose.
Persistence & Privilege
always:false (normal). The skill relies on scheduled cron jobs which will cause autonomous execution at configured times — expected for a scheduling/reporting tool. Users should be aware scheduled runs may send data to configured external channels without an interactive prompt.
Assessment
This skill appears to do what it says, but before installing: 1) Review and restrict access to ~/report/ (it will store configs, data, and logs). 2) Only set API keys as environment variables if you trust the reporting configs and the machine; prefer per-report least-privilege keys and rotate them if possible. 3) Carefully vet any delivery endpoints (webhook URLs, Telegram chat IDs, email recipients) — reports may contain sensitive data and scheduled runs will send them automatically. 4) Confirm your agent environment supports the referenced actions (cron scheduling, 'browser action' PDF rendering, and delivery integrations). 5) If you need monitoring/auditing, keep delivery.log and generated files under a secure directory and review failures regularly.

Like a lobster shell, security has layers — review code before you run it.

latestvk975c6syha9h03e9spgj1kfw4s818ysa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
OSLinux · macOS · Windows

Comments