Openclaw Itsm Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent ITSM ticket analysis guide, but users should verify any helper scripts and be careful with optional API keys, webhooks, and scheduled reporting.
Use this skill as a guide for analyzing exported ITSM data. Before installing or relying on automation, verify any referenced scripts because they are not included in the package, use least-privilege ITSM credentials if API access is added, and review Enterprise WeChat webhook or cron reporting so sensitive ticket data is not shared too broadly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill itself does not include executable code, but following the examples could lead to running unreviewed local helper scripts.
SKILL.md references helper scripts, but the provided artifact set contains only SKILL.md and no code files. This is a provenance gap if a user or agent later tries to run local scripts with those names.
python scripts/analyze_ticket.py --input /path/to/new_ticket.csv
Only run helper scripts that come from a trusted source and have been reviewed; otherwise use the skill as an analysis prompt for user-provided CSV or Excel data.
An ITSM API key may grant access to business ticket data or broader ITSM actions depending on how it is scoped.
The skill documents optional ITSM API credentials. This is expected for an ITSM integration, but credentials are sensitive and are not declared in the registry metadata.
export BK_ITSM_API_URL="https://<your-domain>/api/v1/itsm" export BK_ITSM_API_KEY="your-api-key"
Use a least-privilege, preferably read-only API key, avoid pasting secrets into chat, and confirm what any helper code will do before enabling API access.
Ticket reports may contain requester names, assignees, issue details, SLA status, or other internal business information.
The skill supports pushing reports to an Enterprise WeChat webhook. This is disclosed and purpose-aligned, but it can transmit ticket summaries outside the local analysis context.
export WEBHOOK_URL="https://qyapi.weixin.qq.com/cgi-bin/webhook/send?key=xxx"
Use only approved corporate webhooks, review report contents before pushing, and avoid sending sensitive ticket details to broadly visible chat groups.
If enabled, reports could be generated and pushed on a recurring basis without a fresh manual review each time.
The skill mentions optional scheduled daily reporting. No cron job is installed by the artifact, but scheduled automation would continue running if a user configures it separately.
cron: 0 9 * * *
Only enable scheduled pushes after confirming the destination, data scope, retention needs, and how to disable the schedule.