Skillv0.1.0

ClawScan security

zeelin-writing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 5:04 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a writing/publishing assistant, but its runtime instructions and scripts request saving credentials, auto-read local files without explicit consent, and modify shell startup files—while the published metadata does not declare these environment/credential requirements and some referenced scripts are missing.
Guidance: Things to consider before installing: - The skill will ask you to provide GOOGLE_API_KEY and WECHAT_APP_ID/WECHAT_APP_SECRET and instructs saving them to a .env inside the skill directory — that is expected for publishing functionality — but the published metadata did not declare these credentials. Ask the maintainer to update metadata to declare required env vars. - The initialization script can append GOOGLE_API_KEY to your ~/.zshrc or ~/.bashrc, which persistently exposes that secret to your entire shell environment. Prefer keeping secrets in a skill-local file (e.g., $SKILL_DIR/.wechat/.env) rather than modifying shell rc. If you plan to use it, reject automatic rc modifications and add keys manually to a skill-only location. - SKILL.md says the agent will automatically read local directories (./知识资料, ./历史文章) and any file attachments you include, and run Steps 2–10 without pausing. If you have sensitive files in the current working directory, run the skill from a dedicated/sandbox directory or inspect the code first. - Some referenced helper scripts and node scripts are missing (e.g., 生成封面图-批量.sh, 检查文章质量.js). Expect runtime errors or incomplete behavior; request a complete release or inspect scripts before allowing the skill to run commands that auto-install packages. - The TypeScript converter auto-runs npm install if dependencies are missing. Running the scripts will cause npm packages to be installed into the skill directory — run in a controlled environment or review package.json first. Recommendations: ask the publisher for a corrected manifest that lists required env vars, a signed/complete release including the missing scripts, and avoid allowing the skill to modify your shell rc; keep credentials scoped to the skill directory and run the skill in a sandboxed folder first. If you are unsure, refuse or run in an isolated environment (VM/container) and review the code changes it will make.

Review Dimensions

Purpose & Capability: concernThe described purpose (write, format, generate cover, publish to WeChat / 小红书) reasonably explains needing a WeChat app id/secret and an API key for cover generation. However, the skill registry metadata claims no required env vars or credentials while SKILL.md instructs the agent to request and save GOOGLE_API_KEY and WECHAT_APP_ID/WECHAT_APP_SECRET. That mismatch (metadata says none, runtime asks for secrets) is inconsistent and should be clarified.
Instruction Scope: concernSKILL.md directs the agent to automatically load local content (user-attached files, ./知识资料/, ./历史文章/) '自动，不询问' and to proceed from Step 2 → Step 10 without pausing or asking for confirmation. It also instructs creating and writing configuration files ($SKILL_DIR/.wechat/.env) and using local scripts. Automatic scanning/reading of arbitrary project directories and attachments without explicit, per-action consent is broader than typical for a simple writer assistant and increases privacy risk.
Install Mechanism: noteThere is no formal install spec (instruction-only), which avoids remote downloads. However included code (scripts/markdown-to-html.ts) runs an in-process npm install (execSync('npm install') if deps missing), causing code to be written/installed locally when executed. That's moderate risk but not unusual. Also several scripts and referenced helper scripts (e.g., scripts/生成封面图-批量.sh, node scripts like 检查文章质量.js) are referenced but missing from the package, indicating an incomplete package that may fail or prompt unexpected behavior.
Credentials: concernThe skill asks for GOOGLE_API_KEY and WECHAT_APP_ID/WECHAT_APP_SECRET in SKILL.md (needed for cover generation and publishing), which is plausible for its stated purpose. But metadata does not declare these as required credentials. Worse, scripts/初始化.sh offers to append GOOGLE_API_KEY to ~/.zshrc or ~/.bashrc (persisting a secret globally), which is disproportionate compared to writing a skill-local .env file. Requesting sensitive credentials is expected for publishing features, but the instructions for storing them (global shell rc) and the mismatch with metadata are concerning.
Persistence & Privilege: concernThe skill explicitly instructs persistent configuration (create $SKILL_DIR/.wechat/.env) and the initialization script may add environment exports to the user's shell startup files (~/.zshrc, ~/.bashrc). SKILL.md also says steps 2–10 run automatically without asking, which combined with stored credentials could allow actions (e.g., publishing) to proceed autonomously. The skill metadata does not set always:true, but the documented behavior gives it effective persistence and the ability to act without further prompts if credentials are saved.