Weekly Checker
AdvisoryAudited by VirusTotal on Apr 16, 2026.
Overview
Type: OpenClaw Skill Name: weekly-checker Version: 1.0.0 The skill bundle describes a system auditing tool that performs high-risk activities, including scanning for plaintext keys, checking sensitive file permissions, and sending data to an external endpoint (Feishu/Lark). While these actions are consistent with the stated purpose of a 'weekly security check' in SKILL.md, the combination of credential hunting and automated reporting to external webhooks constitutes a significant security risk, especially as the primary execution logic in 'tools/weekly_checker.py' is not provided for verification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The checker could keep running on a schedule and send alerts even when the user is not actively invoking it, depending on how the referenced scheduler is set up.
The skill describes scheduled background execution and automatic notifications, but the package has no install spec or clear opt-in/disable controls for that persistence.
### 自动执行 - **时间:** 每周一 09:00 - **方式:** 定时任务自动运行 - **通知:** 发现问题立即飞书通知
Install only if you want scheduled monitoring; require explicit scheduler setup, a documented disable/uninstall path, and confirmation before enabling notifications.
System status, security findings, and possibly details about leaked keys or local configuration could be sent to an external chat recipient.
The skill instructs sending check results to a specific Feishu recipient, but the artifacts do not define who controls that recipient, what data is included, how credentials are configured, or how sensitive findings are redacted.
4. 飞书通知纪老师
Verify the Feishu destination, webhook/token handling, and message contents; require redaction of secrets and user approval before sending sensitive reports.
A broad scan could read or summarize sensitive local configuration or secrets, and those findings may be stored in reports or included in notifications.
The checker is expected to inspect credentials, access-control configuration, sensitive information, file permissions, and plaintext keys, but the artifacts do not bound which files or credential locations are in scope.
3. **配置安全** - 凭据管理、访问控制 5. **安全风险** - 敏感信息、文件权限 - [ ] 明文密钥检测
Limit scans to explicit directories, exclude secret stores unless approved, redact key values, and document exactly what credential/config data can appear in reports.
Even limited automatic fixes can affect troubleshooting evidence or service availability if the implementation is too broad.
The skill mostly says to wait for instructions, but it also allows automatic remediation such as deleting old logs and restarting a gateway service based on broad criteria like 'zero risk.'
仅在以下情况可自动修复: - ✅ 有明确修复方案 - ✅ 修复操作可逆 - ✅ 风险为零 ... - ✅ 清理>30 天的旧日志文件 - ✅ 重启已停止的网关服务
Require explicit user approval for log deletion and service restarts, or define exact paths, dry-run behavior, rollback, and confirmation rules.
Users cannot confirm from these artifacts what the referenced script actually does or whether it matches the documentation.
The skill references a helper script, but the submitted artifact set contains only SKILL.md and no code files, so the actual checks, notifications, and remediation logic cannot be reviewed here.
命令行:`python tools/weekly_checker.py` - 检查工具:`tools/weekly_checker.py`
Review the referenced script and any scheduler configuration before installing or enabling the skill.