Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lerwee Alert Inspection
v1.0.0当用户要求进行设备健康巡检、告警审查、巡检报告生成或导出监控告警到 Excel 时使用。通过 Python 获取监控数据,生成 Markdown 巡检报告,并导出包含 4 个 Sheet 的 Excel 工作簿。
⭐ 2· 329·0 current·0 all-time
by@lerwee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's description says it fetches monitoring data and exports reports — the code and SKILL.md consistently require LWJK_API_URL and LWJK_API_SECRET and perform paginated POST requests to that API, which is coherent with the stated purpose. However, registry metadata declared no required environment variables or primary credential, which is inconsistent and misleading: the skill will fail or attempt network calls depending on values in skills/.env. The code also reads a local .env file by default (skills/alert-inspection/.env).
Instruction Scope
SKILL.md prescribes precise runtime behavior: two separate host-list queries with explicit active_status parameters, generation of a temporary export script (copied into /tmp and executed), writing normalized JSON and an .xlsx, and returning the file path and markdown. This scope is narrow and aligned with purpose, but the instruction to generate and execute a temp Python script (with placeholder replacement) increases risk because it executes dynamically generated code at runtime — even though the template provided is included in the repo and simply reads local JSON and writes an Excel file.
Install Mechanism
There is no install spec (instruction-only with included Python scripts). That minimizes install-time risk. However, runtime dependencies (e.g., openpyxl) are not declared in metadata; the environment must have those Python packages installed or the export step will fail.
Credentials
The skill requires LWJK_API_URL and LWJK_API_SECRET (documented in SKILL.md and used in code) but the registry metadata lists no required env vars or primary credential. The included .env sets LWJK_API_URL to http://192.168.1.79/backend_api (an internal IP) and leaves LWJK_API_SECRET empty. Requesting an API endpoint and secret is reasonable for fetching monitoring data, but not declaring it in the registry is a mismatch that can hide the need to supply secrets. The code will sign and POST data to the configured API, meaning sensitive monitoring data could be transmitted to whatever host is set in LWJK_API_URL.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes outputs to the specified reports directory and creates/executes a temporary script under /tmp for export; it does not modify other skills or system-wide configs. These behaviors are normal for a data-export skill, but executing a generated script should be considered when evaluating runtime trust.
What to consider before installing
Before installing or running this skill, note that: (1) it requires LWJK_API_URL and LWJK_API_SECRET (the registry did not declare these) and will POST paginated requests to that API — verify the URL is a trusted internal endpoint and only provide a secret you intend to share; (2) it reads skills/alert-inspection/.env by default (check or remove this file if it contains unwanted endpoints); (3) at runtime it creates a temporary Python export script under /tmp with replaced placeholders and executes it — review the template (references/export_excel_template.py) and ensure your runtime environment is safe; (4) Python runtime dependencies (e.g., openpyxl) are required but not declared in metadata — run in a sandbox or prepared environment; (5) if you only want to review behavior safely, run generate_report.py with --hosts-file and --problems-file pointing to local JSON files to avoid any network calls. If you plan to use this in production, update the registry metadata to declare LWJK_API_* as required and audit the LWJK_API_URL host and the code to confirm it meets your security policies.Like a lobster shell, security has layers — review code before you run it.
latestvk975gsvy5d4tqx0g0e7r6cj99x82v936
License
MIT-0
Free to use, modify, and redistribute. No attribution required.