ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

报告双通道智能推送

v1.0.0

将分析报告智能摘要推送到微信(≤100字任务清单)+全文推送到QQ邮箱,说'推送报告'时触发

0· 63·0 current·0 all-time
by@liu99012101-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (python3), and required env vars (QQ_MAIL_ACCOUNT, QQ_MAIL_AUTH_CODE, TARGET_QQ_MAIL, WECHAT_PUSH_KEY) align with a report-to-email+WeChat pusher. The SMTP usage for QQ Mail and an HTTP push endpoint for WeChat/PushPlus is consistent with the purpose.
!
Instruction Scope
SKILL.md instructs the agent to perform compliance checks, deduplication, rate limiting, and to generate the ≤100‑char WeChat summary itself. However, the included script does not implement compliance filtering, deduplication, or rate-limiting—these protections are only promised in prose. Also the instructions call python3 {baseDir}/scripts/push_report.py but the repository contains scripts/ush_report.py (filename mismatch) which will break the instructed command unless corrected.
Install Mechanism
No external/binary downloads; installation is a simple pip install requests (requirements.txt present). This is low-risk from an install mechanism standpoint.
!
Credentials
The environment variables requested are appropriate for the stated functionality. However, SKILL.md claims the WECHAT_PUSH_KEY supports both Server酱 (SCT...) and PushPlus tokens, while the script always posts to PushPlus (http://www.pushplus.plus/send). A Server酱 token will not work with that endpoint. Also the script uses plain HTTP for the push endpoint (not HTTPS), which is a minor transport concern.
Persistence & Privilege
always:false and no install-time writes to system configuration or other skills. The skill does not request elevated or persistent platform privileges.
What to consider before installing
This skill mostly does what it says (send mail via QQ SMTP and post to a WeChat push endpoint) and only requires the expected environment variables. Before installing or enabling it: 1) fix or confirm the script path (SKILL.md calls scripts/push_report.py but the code file is scripts/ush_report.py) — otherwise the agent will fail to run the sender; 2) don't assume the promised "built-in" compliance, rate-limiting, or deduplication actually exists — the shipping script does not implement these protections, so ensure the agent enforces them before calling the script or add those checks to the script; 3) verify which WeChat push service you will use — the script always uses PushPlus endpoint, so Server酱-style tokens (SCT...) will not work; 4) note the script uses HTTP for pushplus (consider changing to HTTPS if supported) and truncates summaries locally; 5) test with non-sensitive content and test accounts first (so your real auth codes are not exposed during debug). These inconsistencies explain the "suspicious" rating; they may be benign packaging errors but should be resolved before trusting the skill with real credentials or sensitive reports.

Like a lobster shell, security has layers — review code before you run it.

latestvk977w6dk0ytj7ddpsn2k6jxc1h83pkwp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📨 Clawdis
Binspython3
EnvQQ_MAIL_ACCOUNT, QQ_MAIL_AUTH_CODE, TARGET_QQ_MAIL, WECHAT_PUSH_KEY

Comments