Skillv1.0.0

ClawScan security

wacai-index-official-website-demand-change · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 8:24 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it claims (save a demand file, prepare branch, commit/push, send a WeCom webhook) but includes surprising hard-coded paths and a built-in webhook URL that can leak repository path/commit info; it also instructs autonomous code modifications via a 'coding subagent' — all of which warrant caution before installing or running.
Guidance: Before installing or running this skill: 1) Review and replace the hard-coded SKILL_DIR path in scripts (it points at /Users/dyshi/...), otherwise scripts may fail or leak that path. 2) Treat the DEFAULT_WEBHOOK_URL as sensitive: it contains a webhook key and will receive project path and commit details by default — change it to your own webhook or require WECOM_WEBHOOK_URL to be set explicitly. 3) Understand that the workflow will run git add/commit/push using the host's git credentials — do not run against a repo that contains secrets or production data without review. 4) The SKILL.md asks the agent to start a 'coding subagent' to modify code automatically; if you do not want automatic code edits, require a manual review step or run the scripts in dry-run mode first. 5) Test in a throwaway or local clone, confirm webhook behavior with dry-run, and ensure you are comfortable with network notifications of project paths and commit contents before using on sensitive repositories.

Review Dimensions

Purpose & Capability: concernThe declared purpose (write demand file, run checks, git commit/push, notify via WeCom) matches the included scripts, but there are incoherences: multiple scripts hard-code SKILL_DIR to /Users/dyshi/.openclaw/... which contradicts the SKILL.md emphasis on not writing a fixed project path; the presence of a default WeCom webhook URL baked into the code is not documented in the skill metadata (no required env var declared). These choices are unexpected for a reusable skill.
Instruction Scope: concernSKILL.md instructs launching a 'coding subagent' to modify code based on the demand file — that gives the agent broad discretion to change arbitrary files under the provided project_dir. The scripts themselves perform git fetch/checkout/pull/add/commit/push and will send project path and commit details to a webhook. The workflow will therefore access local repo contents, commit history, and network-accessible endpoints; these actions go beyond simple file write and require explicit user consent and review.
Install Mechanism: okNo install step or external downloads are present; the skill is delivered as scripts and a SKILL.md. Nothing is written to disk during installation by the skill package itself (the scripts operate at runtime).
Credentials: concernThe package declares no required environment variables, yet push_wecom_push_notice.py uses a DEFAULT_WEBHOOK_URL constant with an embedded webhook key and will also accept a WECOM_WEBHOOK_URL environment override. That default URL will receive project path and commit information if used; the skill does not declare that it will transmit such data nor require an explicit webhook configuration. The scripts also implicitly rely on whatever git credentials are configured on the host for pushing — this is expected but sensitive and not documented in metadata.
Persistence & Privilege: okalways:false and no mechanism that forces permanent inclusion. The skill does not attempt to modify other skills or global agent settings. It operates on a user-supplied project directory and calls local git; those are runtime actions, not persistent platform-wide privileges.