Skillv0.1.0

ClawScan security

zeelin-writing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 5:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (a writing assistant that can generate covers and publish to WeChat) largely matches its behavior, but there are notable inconsistencies and potentially risky instructions (automatic local file reads, writing credentials to files or shell rc, auto-installing npm packages, and references to missing scripts) that you should review before installing or running.
Guidance: Before installing or running this skill: - Inspect the scripts yourself (especially scripts/初始化.sh and scripts/markdown-to-html.ts). They will create project directories, read local files (./知识资料/, ./历史文章/, attached @files), and may auto-install npm packages by running 'npm install' via execSync. - Do not paste your WeChat App Secret or Google API key unless you intend to let the skill publish on your behalf. Prefer to provide keys temporarily at runtime or use least-privilege credentials. Storing secrets in plaintext files (~/.agents/skills/zeelin-writing/.wechat/.env) or appending them to ~/.zshrc/ ~/.bashrc increases exposure. - The init script references several files that are missing from the package (e.g., scripts/生成封面图-批量.sh, some node scripts). Ask the author to provide complete package or fix broken references; missing files may cause confusing behavior. - If you want to try the skill safely: run it in a clean test directory (not your home or important project folders), avoid running the initialization script that appends to shell rc, and run 'npm install' manually in a sandboxed environment so you can inspect fetched packages and scripts. - If you trust the author and want automatic publishing, explicitly confirm which credentials will be used, where they are stored, and remove or rotate keys when you stop using the skill. If you want, I can extract the exact lines that append to ~/.zshrc, the execSync('npm install') usage, and the file-read/write calls so you can quickly review them.

Review Dimensions

Purpose & Capability: noteStated capabilities (generate cover images, publish to WeChat, read local history to learn style) are consistent with asking for a Google API key and WeChat app id/secret in SKILL.md. However the skill metadata declares no required env vars/credentials while the runtime instructions explicitly instruct the agent to create a .env with GOOGLE_API_KEY and WECHAT_APP_ID/WECHAT_APP_SECRET — an inconsistency between metadata and runtime instructions that reduces transparency.
Instruction Scope: concernThe SKILL.md instructs the agent to automatically read many local paths (user-attached files, ./知识资料/, ./历史文章/) without explicit user confirmation and to save files into project directories. It also instructs creation of a persistent skill config file under the user's home (~/.agents/skills/zeelin-writing/.wechat/.env) and the scripts include logic (初始化.sh) that can append GOOGLE_API_KEY to ~/.zshrc or ~/.bashrc. Automatic reading/modifying of user files and shell RC is scope-broad and could expose sensitive local data or permanently change environment behavior.
Install Mechanism: noteNo install spec in registry, but included scripts (scripts/markdown-to-html.ts) will run npm install via execSync at runtime if dependencies are missing, causing on-demand installation of npm packages ('marked', 'juice') from the public registry. Auto-running 'npm install' is an expected way to obtain JS deps but carries typical supply-chain risk (network fetch, lifecycle scripts). Several referenced scripts (e.g., scripts/生成封面图-批量.sh, node scripts/*.js) are referenced by initialization.sh but are not present in the package — a packaging inconsistency.
Credentials: concernRequested secrets (GOOGLE_API_KEY and WECHAT_APP_ID/WECHAT_APP_SECRET) are plausible for cover-image generation and posting to WeChat, so their presence is explainable. But the skill asks users to place those secrets into a skill-local .env under home or even append to shell rc (initialization.sh). Requiring a WeChat app secret (highly sensitive) is proportionate only if the user intends to let the skill publish on their behalf; storing secrets in shell rc or plaintext files increases exposure. The registry metadata does not declare these env requirements, so they could be overlooked by users.
Persistence & Privilege: concernThe skill writes persistent files under the user's home (~/.agents/skills/zeelin-writing/.wechat/.env) and initialization.sh offers to append GOOGLE_API_KEY to shell startup files, giving long-lived access to credentials in the user's environment. While 'always' is false and the skill is not forced on every run, the ability to write config and modify rc-files is a meaningful persistence/privilege change that users should consent to explicitly.