Skillv1.0.0

ClawScan security

地产项目前期产策报告 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 5:45 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly matches its stated real-estate reporting purpose, but there are clear inconsistencies between the SKILL.md claims and the shipped code (missing format exporters, hard-coded output path), which merit attention before installing or running.
Guidance: Before installing or running this skill, consider the following: - Capability mismatch: SKILL.md promises Word/PPT/PDF generation via python-docx/python-pptx and format conversion, but the shipped scripts only produce Markdown and a simple HTML. If you need .docx/.pptx/.pdf outputs, verify or add the missing conversion code and required Python packages before use. - Hard-coded output path: generate_report.py creates and writes files to a hard-coded Windows path (C:\Users\钱多多\Desktop\AI Skill\产策报告输出). This may fail on non-Windows systems or unexpectedly write files to your Desktop. Edit OUT_DIR to a safe, configurable location or run in a sandboxed environment. - File handling and privacy: the skill asks users to upload documents and images. Do not upload sensitive or confidential materials unless you trust the environment and have reviewed how those uploads are stored/handled. The code does not transmit uploads externally, but the agent may use web search queries that reveal project names—be mindful of privacy. - Code quality: the HTML conversion is a naive string-replace implementation and may produce malformed HTML; test outputs before sharing externally. - Dependencies: there are no declared dependencies for python-docx/python-pptx or PDF conversion. If you expect those features, install and verify the appropriate Python libraries and update scripts accordingly. If you are comfortable editing the skill, recommended changes are: make OUT_DIR configurable (or relative to current working dir), implement or remove claims about .docx/.pptx/.pdf generation, add dependency declarations and error handling, and document exactly where files are written. If you do not want local files created on your machine, run the skill in an isolated/sandboxed environment first.

Review Dimensions

Purpose & Capability: concernThe skill declares support for Markdown/Word(Python-docx)/PPT(Python-pptx)/HTML/PDF and describes automated format conversion, but the included scripts only generate Markdown and a very simple HTML. There is no code or declared dependency to produce .docx, .pptx or PDF, so the README over-promises capabilities. This mismatch could confuse users and lead the agent to attempt actions (call libraries or converters) that are not present.
Instruction Scope: concernSKILL.md instructs the agent to perform web searches (mmx search / web_search) and to accept/upload user files — both are consistent with the skill's purpose. However, the runtime script generate_report.py writes outputs to a hard-coded Windows desktop path (OUT_DIR set to C:\Users\钱多多\Desktop\AI Skill\产策报告输出), which is surprising and potentially intrusive: it will attempt to create and write files to that specific location on the host. The SKILL.md does not disclose this exact save location. Also the HTML conversion method is naive and may emit malformed HTML.
Install Mechanism: okNo install spec or external downloads; the skill is instruction-plus-local-scripts only, so nothing is fetched at install time. This is the lowest install risk.
Credentials: okThe skill requests no environment variables, no external credentials, and requires no binaries. The references to web search are expected for a research/report skill. There is no evidence of unrelated credential access or secret harvesting.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent privileges. It does write files to disk (see instruction_scope), but it does not modify other skills or system-wide agent settings.