MBTI Coach — Personality Development System
WarnAudited by ClawScan on May 18, 2026.
Overview
This MBTI coaching skill is mostly coherent, but its Feishu calendar helper handles credentials, can print access tokens, and has unsafe argument handling that could run code if crafted schedule text is used.
Install only if you are comfortable reviewing or patching the Feishu calendar script. If you use calendar sync, provide least-privilege Feishu credentials, do not run the token debug command, confirm each calendar write, and keep the local profile file private.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent passes untrusted or crafted schedule text into the calendar helper, it could run unexpected commands on the user's machine.
The script interpolates calendar command arguments directly into Python source code instead of passing them as data. Crafted event text or date strings containing quotes could break out of the intended string and execute unintended Python code.
start_ts=$(python3 -c "from datetime import datetime; print(int(datetime.strptime('$start_str', '%Y-%m-%d %H:%M').timestamp()))") ... 'summary': '$title', 'description': '''$desc'''Rewrite the helper to pass values through argv, stdin, JSON files, or environment variables, and never embed event fields directly into python -c source strings.
A Feishu token could appear in agent output, shell history, or logs, giving access to whatever calendar permissions the Feishu app has.
The helper includes a debug command that prints the Feishu access token. The script also reads FEISHU_APP_ID and FEISHU_APP_SECRET from environment/config/.env, while the registry metadata declares no credential contract.
feishu_calendar.sh token 获取并打印 access token(调试用)
Remove or restrict the token-printing command, mask secrets in outputs, declare the Feishu credential requirements, and use least-privilege Feishu app permissions.
Users may believe no personal development data ever leaves their machine even though scheduled coaching events can be synced to an external calendar provider.
The privacy wording is overbroad because the advertised Feishu/Lark calendar integration necessarily sends calendar event data to Feishu when used.
Integrates with Feishu/Lark calendar for real scheduling ... Your profile is stored locally in `data/profile.json`. Nothing is shared externally.
Clarify that local profile data stays local, but calendar sync sends selected event titles/descriptions/times to Feishu/Lark, and require user approval before syncing.
The agent could add events to the connected Feishu/Lark calendar if the helper is invoked.
The helper can create external calendar events. This is purpose-aligned for scheduling growth exercises, but it is a real account mutation that should be user-approved.
feishu_calendar.sh create TITLE START END [DESC] 创建事件 ... curl -s -X POST "$FEISHU_BASE/calendar/v4/calendars/$cal_id/events"
Confirm event title, time, description, and target calendar with the user before creating calendar entries.
The file may contain sensitive self-assessment and personal growth information that future sessions will rely on.
The skill persists a personality profile, cognitive function scores, goals, and stress-signal information for reuse across sessions.
Read `data/profile.json` ... Save all collected data to `data/profile.json`
Keep data/profile.json private, avoid syncing it to shared locations, and delete or edit it if the stored assessment becomes inaccurate or too sensitive.