数据分析与反馈
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent ad-performance analytics helper with no declared credentials, external tools, or privileged install behavior, but it processes business metrics that users should treat as sensitive.
This appears safe to use for its stated purpose. Before installing or invoking it with real campaign data, treat ad spend/revenue metrics as sensitive, verify log/report visibility, and prefer sanitized report exports if CSV files will be opened in spreadsheets.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Campaign spend, revenue, performance results, and campaign names may remain available within the skill session or runtime logs while analysis/reporting is performed.
The skill stores campaign performance and generated reports in runtime state and logs campaign identifiers/names.
private performance: Map<string, MaterialPerformance> = new Map(); private reports: Map<string, Report> = new Map(); ... this.api.log("info", `Campaign registered: ${id} - ${campaign.name}`);Only provide the campaign data needed for the analysis, and confirm who can access OpenClaw runtime logs or generated reports before using sensitive business metrics.
If material IDs contain commas, newlines, or spreadsheet formula prefixes, exported reports could be malformed or unsafe when opened in a spreadsheet or passed to another workflow.
CSV output is built by directly joining fields, including materialId, without visible CSV quoting or formula neutralization.
const rows = report.topPerformers.map(p => [p.materialId, ...]); const csv = [headers, ...rows].map(row => row.join(",")).join("\n");Escape/quote CSV fields and neutralize cells beginning with characters such as =, +, -, or @ before exporting report data.