龙虾教研日报助手
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with daily report automation, but its monthly read/summary code appears to read all rows in the shared Tencent document instead of only the configured user’s rows.
Install only if you intend to connect this assistant to the specified Tencent Docs sheet. Before using monthly summaries, ask the publisher to fix or confirm user-level filtering so your reports do not include coworkers’ rows. Also verify the Tencent document IDs, pin the mcporter dependency if possible, and revoke the Tencent Docs authorization when you stop using the skill.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Monthly reads and summaries may include other people’s work logs from the shared Tencent document, not just the current user’s records.
The function receives a user record ID but does not use it when listing or filtering records; it filters only by month, so a shared sheet can return coworkers' records too.
read_monthly_records() { local user_record_id="$1" ... "smartsheet.list_records" ... "limit": 500 ... filtered = [r for r in results if r.get('date', '').startswith(month_prefix)]Filter Tencent Docs queries by the configured user record ID, parse the personnel field, and confirm summaries are user-scoped before enabling monthly reports.
A conversational request can create leave, overtime, or work-report rows in the configured online spreadsheet.
The skill directly adds records to Tencent Docs. This is the advertised purpose, but it is still remote data mutation through a tool call.
npx -y mcporter call "tencent-docs" "smartsheet.add_records" --args "{ ... \"file_id\": \"$FILE_ID\", ... }"Use it only with the intended Tencent document and consider requiring explicit confirmation before writes that affect official reports.
Anyone or anything that can use the configured mcporter profile may read or write Tencent Docs within the granted authorization.
The setup script configures a Tencent Docs authorization token for mcporter. This is expected for the integration, but it grants delegated document access.
npx -y mcporter config add tencent-docs "$TDOC_MCP_URL" --header "Authorization=$token" --transport http --scope home
Authorize with the least-privileged account available, revoke access when no longer needed, and avoid running the setup on shared machines.
Future runs may execute a newer mcporter version than the one originally reviewed, and that tool handles the Tencent Docs connection.
The runtime helper is unpinned and fetched/executed via npx. It is central to Tencent Docs access, but unpinned packages can change over time.
"optionalDependencies": { "mcporter": "latest" }, ... "install": "npx -y mcporter --version"Pin mcporter to a reviewed version and provide a lockfile or verified install path.
Local workspace files can reveal the configured user name and Tencent Docs record mapping to anyone with access to the machine/workspace.
The skill persists user identity and authorization status in a local memory file. This is disclosed and useful for reuse, but it remains on disk.
cat > "$MEMORY_DIR/user-config.md" <<EOF ... - 姓名:$name ... - record_id:$record_id ... - 授权状态:已授权
Keep the workspace private and delete or rotate the memory file when changing users or uninstalling the skill.