Skillv1.0.1

ClawScan security

skill-a-create-meeting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 3:34 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code mostly matches its stated purpose (creating meeting files in Gitea and preparing email content) but the package metadata omits required credentials and the included setup/example config points to a specific external IP — these inconsistencies and the install script behavior are concerning.
Guidance: This skill appears to implement what it claims (creating meeting folders in Gitea and building invitation content) but there are important red flags you should address before installing or running it: - Metadata vs reality: The skill package declares no required env vars, but the code requires GITEA_BASE_URL, GITEA_TOKEN_BOT, and AIFUSION_META_REPO. Do not assume the platform will prompt you for these — the skill expects them in ~/.config/skill-a-create-meeting/.env. - Inspect and edit env-example: The provided env-example sets GITEA_BASE_URL to an explicit IP (http://43.156.243.152:3000). Change this to your trusted Gitea instance or remove the example before creating the .env. If you leave it pointing to a third-party server and supply a token, that token could be used against that server. - Limit credential scope: If you create a bot token for this skill, give it the minimal permissions needed (only the repos it should touch). Avoid using a token with broad org/admin privileges. - Run setup/install in isolation: The included setup.sh runs 'pip install' system-wide with --break-system-packages. Prefer creating a dedicated virtualenv or container and inspect requirements.txt before installing. - Review file writes: The skill will create files in the target repo (meetings/... meta.yaml/agenda.md) and append logs to the configured meta repo. Make sure the target repo and meta repo are correct and trusted. - Test with non-privileged token and a test repository first: Validate behavior on a throwaway repo and verify no unexpected outbound connections. Search the code for any hard-coded endpoints (the env-example was already suspicious). If you cannot verify or are uncomfortable editing the env file, treat this skill as untrusted until the above issues are resolved.

Review Dimensions

Purpose & Capability: concernThe skill claims to be a Gitea-side meeting preparer (creating meeting directories, meta/agenda, resolving member emails, logging, producing email HTML). The code implements those capabilities and legitimately needs Gitea base URL, a bot token, and a meta-repo. However the registry metadata declared no required env vars or credentials, which is inconsistent with the implementation (it expects GITEA_BASE_URL, GITEA_TOKEN_BOT, AIFUSION_META_REPO). That mismatch could cause users to miss the need to provide/inspect credentials.
Instruction Scope: noteSKILL.md prescribes a precise workflow (OpenClaw does NL parsing and creates the Tencent meeting; this skill manipulates Gitea and prepares email content). The skill's instructions require running setup.sh and then invoking main.js with meeting fields — scope stays within the described purpose. However setup.sh copies an env-example into ~/.config/skill-a-create-meeting/.env by default (and instructs users to edit it), which could lead less-technical users to keep the example values.
Install Mechanism: concernThere is no registry-level install spec, but the provided setup.sh will pip install requirements system-wide (uses --break-system-packages) without creating an isolated environment. This is intrusive and may be unexpected. The requirements are standard Python packages, but running the script before inspecting/editting env-example is risky. The env-example contains a hard-coded Gitea URL that points to an IP address (43.156.243.152:3000), which is atypical for an innocuous example and increases risk if users don't change it.
Credentials: concernThe code legitimately needs: GITEA_BASE_URL, GITEA_TOKEN_BOT, and AIFUSION_META_REPO to operate. Requesting a Gitea bot token is proportional to the skill's purpose. But these required env vars are not declared in the skill metadata (the skill registry shows none). The env-example's default GITEA_BASE_URL points to a remote IP — if a user copies that example unchanged and supplies a token, their token and repo operations could be directed to an unexpected endpoint. The skill reads repository members and emails (sensitive metadata) and will write files/logs to the meta repo using the provided token — reasonable for its function but high-impact if token is misdirected.
Persistence & Privilege: notealways:false and model invocation allowed (defaults) — normal. The skill writes files into user-specified Gitea repos and appends logs into the configured meta repo. This is consistent with its purpose but requires that the provided token has write access; ensure token scope is limited. The skill does not request persistent alteration of other skills or global agent config.