iHub日报自动填写
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s iHub daily-report automation is mostly purpose-aligned, but the bundled script can print the user’s iHub password to output/logs.
Only use this with an iHub account you control, verify the report details before submission, and avoid running the bundled script unless the password-printing behavior is fixed or you are sure execution logs are private and temporary.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your iHub password could appear in terminal output, agent logs, or other captured execution records.
The script accepts the user's iHub password and then includes it in the returned object that is printed to stdout when the script is executed.
return { username, password, content, name, ... }; ... console.log(JSON.stringify(result, null, 2));Do not print or return raw passwords. Use a scoped credential mechanism, redact secrets from output, and avoid passing passwords on command lines.
If the wrong date, name, or content is supplied, the agent may submit an incorrect daily report.
The skill is designed to save and submit changes in an authenticated iHub workspace. This is consistent with the skill purpose, but it is still mutation of account/workplace data.
13. 点击「已完成」保存内容 14. 点击「提交」按钮 15. 填写变更理由并确认提交
Verify the target name, date, and Markdown content before invoking the skill; ideally require a final confirmation before clicking submit.
Injected page scripts can interact with the authenticated iHub page while the session is active.
The skill explicitly uses browser-page JavaScript injection to set form content. This is disclosed and purpose-aligned, but users should understand that the agent will execute code in the logged-in page context.
使用 evaluate API 注入 JavaScript 填入内容(触发 Vue 双向绑定)
Keep the injected logic narrowly limited to the report field and avoid using this skill on unrelated pages or with untrusted report content.