Skillv1.0.4

ClawScan security

Wemp Ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 19, 2026, 4:04 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions broadly match a WeChat account publishing workflow, but there are notable inconsistencies around credential handling, install/runtime expectations, and file-modifying behavior that the author did not declare — review carefully before installing.
Guidance: Key things to check before installing: - Inspect config/default.json and other repo files for embedded secrets; treat the included weixin.appId/appSecret as suspicious (they may be real or stolen). Do NOT use the skill unless you remove/replace those credentials with your own and ensure secrets are stored securely (env vars or a secret manager). - Review scripts/setup.mjs, publisher.mjs, smart_collect.mjs, and any network-calling code to see exactly which endpoints are contacted (WeChat API endpoints, image-generation services, or arbitrary hosts). If you are uncomfortable, run the skill in an isolated sandbox or container first. - Confirm where image-generation API keys (Gemini/Seedream or other) are expected to come from; SKILL.md references 'team AK' and key rotation but does not declare required env vars — ask the publisher for details or set your own credentials. - Note the skill will read and write workspace files and may delete handoff items; back up your workspace before first run and audit what files the scripts modify. - If you intend to allow publishing/comment-reply capabilities, ensure the WeChat credentials are yours and have the minimum required scope (prefer a test account), and consider disabling autonomous invocation until you've validated behavior. - If anything about provenance (who published this skill) is unclear, prefer not to run arbitrary setup or publishing scripts from it; ask the author for an explanation of the embedded credentials and a sanitized install process (declared env vars, no hardcoded secrets).

Review Dimensions

Purpose & Capability: concernThe skill claims to manage a WeChat Official Account and the repository contains publisher, comment-checking, fetching, and image-generation scripts that fit that purpose. However the package metadata declares no required env vars or binaries while README/SKILL.md and scripts clearly require Node.js, Python3 and API credentials. Worse, config/default.json contains a weixin.appId and appSecret baked into the codebase rather than being declared or requested via environment variables — this mismatch (no declared credentials but embedded credentials in files) is a strong incoherence.
Instruction Scope: noteSKILL.md instructs the agent to read and write many workspace files (topic pools, handoff files, temp findings, persona.md), to delete consumed handoff entries, and to call external tools/APIs (web_search/web_fetch, image generation services, WeChat API). Those actions are within the claimed purpose (content collection, publishing, comment management), but the instructions give broad discretion to fetch, modify, and delete user workspace files and to push content to external endpoints — verify you trust these scripts and their exact network targets before granting access.
Install Mechanism: concernThere is no formal install spec, yet the skill ships many executable scripts and the SKILL.md tells the user to run node scripts/setup.mjs. That setup step is effectively an install/runtime step but it's not declared in the registry metadata. Running repository scripts will execute arbitrary code on the agent host; lacking an install review or clear provenance raises risk. Also required runtimes (Node/Python) are not declared in the skill metadata.
Credentials: concernThe registry declares no required environment variables or credentials, but config/default.json contains plaintext WeChat appId/appSecret values. The SKILL.md expects API access to WeChat and third-party image services (references to Gemini/Seedream and 'key rotation'). Requiring external API keys for publishing and image generation is reasonable for the stated purpose, but the way credentials are handled (embedded in repo config instead of declared env vars or a secure credential prompt) is disproportionate and suspicious.
Persistence & Privilege: noteThe skill is not always-enabled and does not force inclusion, which is good. However it is allowed to run autonomously (default platform behavior) and its instructions include modifying workspace files (writing findings files, deleting handoff entries) and pushing drafts to WeChat. That level of write/publish capability is consistent with its purpose but increases blast radius when combined with the credential mishandling and capability to execute scripts — consider restricting autonomous invocation or reviewing code before enabling.