Skillv1.0.4

ClawScan security

Weixin Task Workbench · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 26, 2026, 10:12 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and behavior are coherent with a local task-registry + session-routing workbench for Weixin: it only needs python3, reads/writes local registry files, and uses declared session tools; no network exfiltration or extra credentials are requested — but review local-file merging and sessionKey exposure before installing.
Guidance: Before installing: (1) accept that the skill will create and modify files under tasks/weixin/<account>/<peer>.json (persistent local state); audit or sandbox the directory if you need isolation. (2) Be aware the registry script may discover and merge registries from sibling account directories during initialization (intended for restore) — if you want strict per-account isolation, verify the directory layout and consider restricting filesystem access. (3) The skill is designed to surface the internal sessionKey in the '任务状态' troubleshooting view; if exposing session identifiers to end users is a concern, review or modify that behavior. (4) Ensure the host provides the required session tools (sessions_spawn, sessions_send, sessions_history) as the skill will block rather than degrade if they are missing. (5) Review the bundled scripts (scripts/task_registry.py) on your host before enabling, and back up any existing tasks/weixin data.

Review Dimensions

Purpose & Capability: okName/description (Weixin task workbench) align with what the skill requests and does: it needs python3 and session-related agent tools to spawn/send/history sessions, and it persists per-contact registries on disk. Required binaries/env/paths are proportional to the stated purpose.
Instruction Scope: noteSKILL.md confines actions to task control and registry operations and requires the agent to call sessions_spawn/sessions_send/sessions_history and the included task_registry.py. Two small scope notes: (1) the doc says 'do not expose sessionKey unless user explicitly asks', but the '任务状态' / status command explicitly returns task sessionKey for troubleshooting — this is a documented, limited exception but is inconsistent in wording; (2) the agent is instructed to fail/abort if session tools are absent (no silent registry-only fallback) which is a deliberate design choice and must be honored by the runtime.
Install Mechanism: okNo install spec; instruction-only plus a bundled Python script. No remote downloads, package installs, or nonstandard binary locations are present.
Credentials: okThe skill requests no environment variables or external credentials. It reads/writes local files under tasks/weixin/<account>/<peer>.json; that file-system access is necessary for its purpose but should be noted by the user (files are created and can be copied between alias paths).
Persistence & Privilege: noteThe skill writes persistent registry files under tasks/weixin/ and will create directories and alias copies. It does not request always:true nor elevated platform privileges. Note: the script includes logic to search sibling account directories and may merge/restore registries from other account directories when initializing an empty registry — intended for recovery but could lead to cross-account registry reads if multiple account directories are present.