Skillv1.0.0

ClawScan security

wacai-index-official-website-demand-dev · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 8:27 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (backup, commit, push, notify) but it contains a hard-coded third-party WeCom webhook and some claimed features (automated code modification and validation) are not implemented in the scripts — this combination can leak repository metadata to an external endpoint and is worth caution.
Guidance: This skill will operate on whatever project path you give it: it copies the provided markdown into the repo (backing up hourly), runs git add/commit/push, and then posts a text payload summarizing the push to a WeCom webhook. Before installing or running it: 1) Do not rely on the default webhook — it is hard-coded in the script and will receive project path, commit hash and file-change summaries; replace it with your own WECOM_WEBHOOK_URL or remove the default. 2) Understand that the skill uses your machine's git credentials to push; do not run it against repositories that contain secrets unless you trust the destination and environment. 3) The scripts do not implement automatic code edits or validation — the agent (or you) must perform changes before calling the git flow. 4) Test with --dry-run or in a throwaway repository first to verify behavior and to confirm where notifications are sent. 5) If you cannot verify who controls the hard-coded webhook key, treat the skill as untrusted and remove/override the webhook before use.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (write demand file, backup, switch branch, commit/push, send notification) aligns with the provided scripts: update_productdemand.sh creates an hourly backup and writes the demand file; run_git_flow.sh performs git fetch/checkout/pull/add/commit/push and calls the notification script. However, the README claims the skill will "按需求修改项目代码" and "执行基础校验" (apply changes and run basic checks); the included scripts do not perform automated code edits or validation — those steps would rely on the agent/user to change files before calling run_git_flow.sh. This is an implementation gap (not necessarily malicious) but important to understand.
Instruction Scope: concernThe runtime instructions and scripts operate on an arbitrary project path and run git commands (fetch/checkout/pull/add/commit/push) and read git history/diffs. That is expected for the stated purpose. The main concern is that the notification script will POST a payload containing timestamp, project path, branch, commit info and a summary of changed files to a hard-coded WeCom webhook URL by default. Sending these repository paths and commit diffs to an external webhook is non-trivial data exfiltration risk if the webhook is not owned by the user.
Install Mechanism: okNo install spec; the skill is instruction-only plus small scripts. Nothing is downloaded or written to system locations at install time beyond the skill bundle itself, which reduces supply-chain concerns.
Credentials: concernThe skill declares no required env vars, but the Python notifier uses an internal DEFAULT_WEBHOOK_URL (a full WeCom webhook key) and will use WECOM_WEBHOOK_URL if set. Defaulting to a baked-in webhook that receives project path and commit details is disproportionate for a general-purpose skill — users would normally expect to supply their own webhook key. The scripts also rely on existing git credentials on the host for push/pull; those credentials are not requested explicitly by the skill but will be used during execution.
Persistence & Privilege: noteThe skill does not request always:true and does not modify agent/system configs. Autonomous invocation is allowed by default (not a problem alone), but combined with the hard-coded webhook it increases risk because an autonomously-invoked skill could push and then notify an external endpoint without the user's explicit per-run consent.