my_acceptance_rate_analysis
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated analysis purpose, but it embeds a DataWorks access token and logs raw query results by default.
Review this skill before installing. It should not ship with a shared access token; the token should be revoked or rotated, and users should provide their own least-privilege credential. Also confirm whether local query logs are acceptable for your data before running it.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running the skill may use a shared embedded DataWorks credential, which can expose internal metric access and blur accountability for queries.
The skill falls back to an embedded access token and sends it as a DataWorks session cookie, despite the registry declaring no primary credential or required environment variable.
DEFAULT_ACCESS_TOKEN = os.getenv("BIGDATA_ACCESS_TOKEN", "manage-…") ... headers={"Cookie": f"bigdata_access_token={access_token or DEFAULT_ACCESS_TOKEN}"}Remove and rotate the embedded token, require a user-provided least-privilege credential such as BIGDATA_ACCESS_TOKEN, and declare that credential in the skill metadata.
Business metric results and potentially sensitive operational data may remain in local logs after the analysis finishes.
Detailed API response data, including SQL and result rows, is logged by default unless DATAWORKS_QUERY_LOG is disabled.
if os.getenv("DATAWORKS_QUERY_LOG", "1")... logger.info("[query_metric_data] 响应原始数据 {}", json.dumps({"sql": data.get("sql"), "column_head_list": column_head_list, "data_list": data_list, "rows": _map_response_rows(...)}, ...))Disable raw query logging by default, redact sensitive fields, document the log location and retention behavior, and make verbose logging an explicit user opt-in.