ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Requirement Analyzer

v1.0.0

分析 AI 智能体平台的需求文档,提取测试需求、功能点、交互场景、边界条件。专注智能体创建、配置、发布、调用全生命周期。 Use when: 用户说"分析需求"、"需求解析"、"智能体需求分析"、"PRD 分析"。 NOT for: 生成测试用例(用 agent-testcase-generator)、生成测试方...

0· 0·0 current·0 all-time
by@luiciferyi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (analyzing agent requirement docs and extracting test points) matches the instructions and output format. However the SKILL.md also embeds a specific Feishu knowledge-base ID and node for writing results — this is not strictly necessary for the core analysis capability and is a surprising hard-coded destination.
!
Instruction Scope
Instructions only reference parsing provided requirement documents and producing structured reports, which is in scope. But they explicitly specify a Feishu write location and include allowed-tools for Feishu create/update/fetch; this means user-provided docs (and any extracted content) will be pushed to an external endpoint and a specific knowledge-space by default. The skill does not request explicit user confirmation or document how/when it will upload private content.
Install Mechanism
Instruction-only skill with no install spec or downloaded code; no files are written to disk by an installer. This is the lowest install risk.
!
Credentials
The skill declares no required env vars or credentials, but it uses platform-level Feishu tools (feishu_create_doc, feishu_update_doc, feishu_fetch_doc). The presence of a hard-coded Feishu target is disproportionate unless the user expects reports to be published to that specific workspace — it effectively transmits analyzed content externally and requires platform Feishu integration/permissions.
Persistence & Privilege
always:false and no install persistence are appropriate. However the skill can be invoked autonomously (platform default) and it has tooling to create/update external documents; autonomous invocation combined with automatic external posting increases blast radius if misused. Consider restricting autonomous invocation or reviewing connector permissions.
What to consider before installing
This skill appears to do what it says (analyze agent PRDs and produce structured reports), but it includes explicit Feishu integration and a hard-coded Feishu knowledge-base/node where it will write results. Before installing or invoking it: 1) Confirm you want analysis outputs sent to that Feishu location (the SKILL.md lists IDs). 2) Check what platform Feishu connector permissions the skill will use (who can read the created docs). 3) If input documents contain sensitive data, avoid automatic publishing or disable Feishu writing. 4) If you don't trust the default destination, ask the skill author to make the output destination configurable or to require user confirmation before uploading. 5) Consider disabling autonomous invocation for this skill if you want to prevent background runs that could transmit data.

Like a lobster shell, security has layers — review code before you run it.

latestvk972a8az9mc1pyzzykfs733c9984sjyb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments