Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
weekly-report-generator-feishu
v1.0.2周报生成器是一款基于 AI 的智能周报自动化工具,能够从本地 Git 提交记录、工作描述、工作截图中自动提取信息, 生成指定时间(默认本周)的高质量、模块化、业务化的周报文档,并自动发送到飞书(可设置定时发送)。 彻底解放双手,让写周报从"痛苦的回忆作业"变成"一句话的事"。 核心亮点: 1. 一键生成:一句"按...
⭐ 3· 55·0 current·0 all-time
bymemorial@prayone
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (generate weekly reports and post to Feishu) aligns with the included scripts which read git logs and call Feishu APIs. However the SKILL metadata declares no required env vars or config paths while the scripts expect PROJECT_ROOT, APP_ID, APP_SECRET and RECEIVE_ID (and hardcoded paths like /Users/ai/cline-skills). The zero-config claim in prose ('zero configuration, scan all local folders') is misleading because the scripts require editing or environment variables to point to actual project paths and Feishu credentials.
Instruction Scope
Runtime instructions explicitly direct the agent to scan user-specified (or default) directories for all Git repositories, read git config (user.name/email), create files under /Users/ai/cline-skills, and then MUST immediately send the AI-optimized report to Feishu 'without any check or asking'. That combination means the skill will collect potentially sensitive local source history and push it externally without confirmation — scope creep and potential data exfiltration risk.
Install Mechanism
No external installers or remote downloads are present; the skill is instruction-plus-local-scripts (no install spec). This is lower risk from supply-chain perspective, but the bundled scripts will run shell/git/python commands on the host.
Credentials
The scripts require Feishu credentials (APP_ID, APP_SECRET) and optionally PROJECT_ROOT, but the skill registry declares no required env vars or primary credential. Storing APP_SECRET directly in a script is discouraged (the docs remark that you should avoid committing it). The requested credentials are proportionate for Feishu integration, but failing to declare them in metadata and recommending in-script storage is a mismatch and increases risk.
Persistence & Privilege
The skill does not request 'always: true' and does not auto-install itself, but its documentation and scripts instruct users how to create system-level scheduled tasks (macOS launchd) to run periodically. The bigger concern is that the SKILL.md enforces 'must send without asking' — if the agent is allowed autonomous invocation, that combination raises exfiltration risk. The skill itself does not modify other skills or global agent config.
What to consider before installing
This skill does roughly what it claims (collect git commits, format a report, post to Feishu) but has inconsistencies and risky behaviors you should address before installing:
- Review and edit scripts before running: change PROJECT_ROOT to a narrow path (not '/') and change WORK_DIR to a safe directory under your control.
- Do not place APP_SECRET in the script. Use environment variables or a secure secrets store and update send-to-feishu.sh to read them from env vars.
- The SKILL.md requires automatic sending to Feishu without confirmation — if you allow the agent to invoke skills autonomously, this can exfiltrate repository content. Require explicit user confirmation before any network send.
- Test scripts locally on a safe sample repository first (check what gets included in the generated report and ensure line/commit limits are acceptable).
- If you do not want periodic automatic runs, do not enable the provided launchd plist. Only enable scheduling after manual review.
Given these points, install only if you are comfortable auditing/running the scripts yourself and modifying them to require explicit confirmation and secure credential handling.Like a lobster shell, security has layers — review code before you run it.
latestvk979fvqxtghgz731jq4e67wecx842mh3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.