Skillv1.0.8

ClawScan security

cloud-doc-intelligent-assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 16, 2026, 11:56 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code largely matches its stated purpose (crawl public cloud docs, store locally, detect diffs) but there are mismatches around network permissions and deployment assumptions — notably configurable webhooks (and .env loading) can send harvested document data to external endpoints that are not fully declared in the SKILL.md permissions, and there is no formal install spec despite many included Python sources and dependencies.
Guidance: What to check before installing/use: - Review config.yaml and any notifier entries. If you do not want document content leaving your machine, keep notifications set to file-only and avoid configuring webhook URLs. - Check any environment variables you plan to set: AIFLOW_WEBHOOK_URL and RULIU_WEBHOOK_URL will be used for outbound posts; if you set CLOUD_DOC_MONITOR_LOAD_DOTENV to enable .env loading, that will import variables from a .env file (and could expose secrets if the .env contains them). - The code can POST payloads including counts and metadata (and will include document links/titles in markdown), so only point webhooks at endpoints you trust. - Dependencies must be installed (requests, beautifulsoup4, lxml, sqlalchemy, pyyaml, click). There is no install spec in the registry entry; follow the project's README or pip install steps in SKILL.md and run in an isolated environment if possible. - If you need stricter enforcement, audit notifier implementations (WebhookNotifier/AiflowNotifier/RuliuNotifier) and restrict allowed notification URLs or sandbox network egress to the cloud vendor domains and approved webhooks. - Overall: functionality aligns with the description, but configurable notification/webhook behavior and optional .env loading are the primary risks — treat webhook targets as sensitive configuration and verify them before enabling the skill.

Review Dimensions

Purpose & Capability: okThe name/description claim to fetch public cloud product docs (aliyun, tencent, baidu, volcengine), store them locally, and detect diffs. The included Python modules implement crawling, storage (SQLite/SQLAlchemy), diff detection, caching, async tasks and notifiers, which is coherent with that purpose. It does not call LLMs and does not request unrelated cloud credentials.
Instruction Scope: concernSKILL.md and code instruct the agent to fetch public docs, write to local DB and log files, and send notifications to webhooks. However the skill supports arbitrary webhook URLs configured in config.yaml (and multiple notifier types) while the declared outbound network permissions only list cloud vendor domains plus two environment-derived webhook placeholders (${AIFLOW_WEBHOOK_URL}, ${RULIU_WEBHOOK_URL}). This is an inconsistency: the code can contact arbitrary endpoints from configuration, which could cause data to be transmitted to endpoints not listed in the permissions block.
Install Mechanism: noteThere is no install spec in the registry entry even though the repo includes pyproject.toml, requirements.txt and CLI entry points. The SKILL.md documents pip install and expects Python packages (requests, beautifulsoup4, lxml, sqlalchemy, pyyaml, click). Lack of a formal install step in the skill metadata is an operational/consistency issue (agent/runtime may need those deps present). This is not directly malicious but increases potential for misconfiguration or unexpected failure.
Credentials: concernThe skill declares reading a small set of env vars (AIFLOW_WEBHOOK_URL, RULIU_WEBHOOK_URL, CLOUD_DOC_MONITOR_LOAD_DOTENV). The code respects opt-in .env loading (CLOUD_DOC_MONITOR_LOAD_DOTENV) which can pull arbitrary secrets from a .env file if enabled. More importantly, notifications can be configured in config.yaml with arbitrary webhook URLs and will be POSTed to by the notifier code. Requiring or reading general-purpose SECRET/TOKEN env vars is not present, but the ability to send document content to configurable external webhooks is a privileged action and should be reviewed before enabling.
Persistence & Privilege: okThe skill writes to local files (SQLite DB under data/, logs/, notifications/, tasks/) and spawns background task threads. It does not request always:true and does not modify other skills. Local persistence is expected for a monitoring tool and is consistent with the declared filesystem permissions.