Skillv1.0.0

ClawScan security

Feishu Weekly Report Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 6:59 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The README/description promises multi-source automatic collection and Feishu API integration, but the included code only reads local git commits and writes a Markdown report — this mismatch (plus a small shell-injection risk) is inconsistent and worth caution.
Guidance: Before installing or running this skill: 1) Understand the capability mismatch — the code only collects local git commits and writes a markdown report; calendar/task collection and Feishu API upload are not implemented. 2) Inspect the script if you plan to run it: it constructs and executes a git shell command with the provided --git path (execSync with interpolated input), so do not pass untrusted or attacker-controlled paths to avoid shell-injection or unexpected git execution. 3) If you expect Feishu integration, know you'll need to implement or provide safe code that uses an API token (and that token should be declared and protected). 4) Run the script from a restricted account and review the generated output before posting to any external service. If you need the claimed calendar/task integrations or direct Feishu upload, request an updated version that implements those features transparently and documents required env vars.

Review Dimensions

Purpose & Capability: concernThe skill description claims automatic collection from 'git commits, calendar events, task completions' and Feishu API integration; the actual code only supports collecting local git commits and rendering templates to a local markdown file. No calendar/task integrations or Feishu API calls are implemented, so requested capabilities are overstated.
Instruction Scope: concernSKILL.md tells the agent to run node scripts/generate-weekly.mjs and mentions using Feishu API if you have a bot token, but the runtime instructions do not match the code (the code never calls Feishu APIs). The script reads local templates and may run git commands against any repository path you pass; it does not access external endpoints or other system credentials, but the mismatch grants the agent misleading scope.
Install Mechanism: okNo install spec or external downloads; package.json only defines a Node >=18 runtime. Nothing is fetched from untrusted URLs and no archives are extracted.
Credentials: noteThe skill declares no required env vars or credentials, which matches the code (it doesn't implement Feishu API calls). However SKILL.md mentions Feishu bot tokens for direct API upload but does not declare or use any environment variable for that token — an inconsistency users should be aware of.
Persistence & Privilege: okThe skill is not always-enabled, does not request special agent/system persistence, and does not modify other skills or system-wide settings. It writes only the generated report file to the filesystem.