Skillv1.2.0

ClawScan security

A股复盘转公众号格式工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 11:55 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality matches its description, but its runtime instructions include an undeclared default filesystem save path and automatic persistence behavior that could overwrite or exfiltrate sensitive input; this mismatch warrants caution before installing.
Guidance: This skill appears to do what it says (format stock-review text into WeChat-article style) but its runtime instructions tell the agent to automatically save outputs to a hard-coded root path (/root/.hermes/...). Before installing or using it: 1) Confirm where outputs will be written and change the default path to a directory you control; do not accept /root locations. 2) Test with non-sensitive/dummy text first to see if files are created and whether filenames are overwritten. 3) Ask the skill author to declare required config paths or to prompt for a save location rather than using a hard-coded root path. 4) Avoid feeding private credentials, API keys, or sensitive company data because the skill explicitly preserves original core viewpoints and will persist them. If the author cannot clarify or remove the hard-coded path and automatic save behavior, consider using a version that only returns the generated text (no automatic file writes).

Review Dimensions

Purpose & Capability: noteName and description (convert arbitrary text into WeChat/公众号-ready posts) align with the SKILL.md templates and formatting rules. The templates and processing rules are coherent for a content-generation tool.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to '自动保存' generated articles to a hard-coded default path (/root/.hermes/hermes-agent/gzh/[日期]_[标题].md). The skill does not instruct asking for user consent before saving, nor does it mention filename collision handling, limiting write scope, or handling of sensitive content. That filesystem-write instruction extends the agent's runtime scope beyond pure text transformation and could overwrite or persist sensitive user data.
Install Mechanism: okThis is an instruction-only skill with no install steps or bundled code. No binaries or external packages are installed, which minimizes code-execution risk from installation.
Credentials: concernThe skill declares no required env vars or config paths, yet the instructions reference an absolute path under /root/.hermes. This is an inconsistency: the skill implicitly requires filesystem write access to that location but did not declare it. The instruction to '100%保留原文所有核心实战观点' increases risk of persisting potentially sensitive or private content.
Persistence & Privilege: noteThe skill does persist generated content to disk by default, but it does not request always:true or other elevated platform privileges. Persisting user-provided content is plausible for a content tool, yet the default path choice and lack of an explicit opt-in/consent step are noteworthy.