Skillv1.0.0

ClawScan security

国顺施工日志助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 4, 2026, 10:07 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (generate standardized Word inspection logs), request no credentials, install nothing risky, and only persists a local project_info file — overall internally consistent.
Guidance: This skill appears to do what it says: generate standardized Word inspection logs from text. Before installing/running: (1) review the scripts/gen_log.py file locally (it’s small and readable) and confirm you accept it writing project metadata to ~/.openclaw/.../project_info.json; (2) install python-docx in a controlled environment (virtualenv) if you don’t want system-wide Python changes; (3) avoid providing sensitive information in the text you feed the skill since it will be written into generated documents and a local project_info file; (4) if you need network-free assurance, run the script offline — it has no network calls or credential usage. If you want me to, I can list the full script contents, point out exact lines where files are written, or suggest a safer location for the project_info file.

Purpose & Capability: okName/description match the included script (scripts/gen_log.py) and reference docs: the code parses user text into structured fields and generates Word documents in the stated FH-001/SG-001/AQ-001/etc. formats. There are no unrelated credentials, binaries, or services requested.
Instruction Scope: okSKILL.md instructions and the script are aligned: they ask for project info and a text description, then produce a .docx. The runtime steps only parse text, format content, save a project_info JSON, and create a Word file. The instructions do not direct the agent to read unrelated system files or send data off-host.
Install Mechanism: okNo install spec in the registry; the SKILL.md recommends installing python-docx via pip, which is proportional for generating .docx files. No downloads from arbitrary URLs or archive extraction are present.
Credentials: okThe skill requires no environment variables or external credentials. The only persistent state is a local JSON project_info stored under the user's home directory as documented; no secrets are requested or accessed.
Persistence & Privilege: noteThe skill persists project metadata to ~/.openclaw/extensions/wecom-openclaw-plugin/skills/guoshun-inspection-logger/project_info.json so subsequent runs auto-use saved project info. This is reasonable for convenience but users should be aware that project metadata is stored on disk.