Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nex Reports
v1.0.0Automated report generation and scheduling meta-skill that aggregates data from multiple Nex tools into unified, actionable business briefings for day-to-day...
⭐ 1· 19·0 current·0 all-time
byNex AI@nexaiguy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (aggregating Nex tools into scheduled reports) aligns with the code and declared requirements: python3, IMAP creds for the EMAIL module, and TELEGRAM_* for delivery. The modules call expected nex-* CLIs and use IMAP/ICS/JSON files where described. No unrelated credentials or unexpected external services are requested.
Instruction Scope
Runtime instructions and SKILL.md stay within the described reporting scope (creating/scheduling reports, reading IMAP, parsing ICS/task JSON, running nex-* commands, and delivering via Telegram or saving files). Important scope note: there is a CUSTOM module that runs arbitrary shell commands (module config key 'command') — this is an explicit feature of the skill but grants the ability to execute any command the config contains. The agent or user creating/editing configs could therefore cause arbitrary command execution if they supply a dangerous command. Otherwise, the instructions reference only the declared env vars and the user's home data dir (~/.nex-reports).
Install Mechanism
No formal install spec was provided in the registry (install is 'instruction-only'), but a setup.sh and CLI scripts are included in the package. That is not inherently malicious, but you should inspect setup.sh before running it because it may install the CLI into the user's environment or write files (the README describes doing so). The code itself uses only standard library modules and expects optional external nex-* binaries.
Credentials
The required environment variables (IMAP_HOST, IMAP_USER, IMAP_PASS, IMAP_PORT, TELEGRAM_TOKEN, TELEGRAM_CHAT_ID) are proportional to features (IMAP email checks and Telegram delivery). There are no unrelated secrets requested. IMAP_PASS and TELEGRAM_TOKEN are sensitive and will be used directly by the tool as expected.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It will create a data directory (~/.nex-reports/) and an SQLite DB for configs/history, which is expected for its function. The included setup.sh may also install a CLI; review it if you want to avoid adding binaries to your system.
Assessment
This package is coherent with its stated purpose, but review these before installing:
- Inspect setup.sh before running it (it may install the CLI or write files to your home directory).
- Be cautious with IMAP_PASS and TELEGRAM_TOKEN — they are sensitive credentials used for email checks and Telegram delivery; prefer app-specific passwords and a bot token limited to the needed chat.
- The CUSTOM module executes arbitrary shell commands from the report configuration; do not add untrusted/opaque commands to configs or allow the agent to write configs that include commands you wouldn't run yourself.
- If you plan to run scheduled jobs, run them in a controlled environment (non-root user, container, or VM) because modules may call external nex-* CLIs and the custom command feature could execute dangerous commands.
- If you need higher assurance, run the tool in a sandbox, or ask the publisher for provenance/signing of releases and an explicit install script rather than running the bundled setup without review.Like a lobster shell, security has layers — review code before you run it.
latestvk97c8b3eqzfr9nphq14crwmn95849fsf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📋 Clawdis
Binspython3
EnvIMAP_HOST, IMAP_USER, IMAP_PASS, IMAP_PORT, TELEGRAM_TOKEN, TELEGRAM_CHAT_ID