Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Reports Creator
v1.0.0Automated report generation for self-reflection and system analysis. Creates daily, weekly, and monthly reports from logs, databases, and system metrics.
⭐ 0· 8·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and SKILL.md all describe generating reports from local DBs, logs, and system metrics — that is coherent. However package.json and the SKILL.md both reference Python scripts under scripts/ (e.g. scripts/daily_report.py) and CLI binaries (reports-creator, openclaw reports) that are not included in the bundle. That mismatch (instructions expecting code that isn't present) is unexplained.
Instruction Scope
The runtime instructions explicitly tell the agent to read local DB files (docs.db, tree.db, logs.db), various log directories, and system metrics (node status, VPN, backups) — all within scope for a reporting skill. They also instruct adding cron entries to run python scripts. The SKILL.md does not instruct reading unrelated config or external secrets, but it assumes access to many local files; grant that access only if you trust the environment. The omission of the referenced scripts is the main scope inconsistency.
Install Mechanism
This is instruction-only (no install spec), so nothing is downloaded or written automatically by an installer. That's low-risk in isolation. The presence of package.json suggests packaging intent but there is no install script or published artifact included — a mismatch worth noting.
Credentials
The skill declares no required environment variables or credentials, which matches an on-host report generator. However the example configuration includes email_on_error: true without describing SMTP/email credentials or how emails would be sent. The SKILL.md also references integrations with other skills (db-maintainer, log-collector, workspace-db) but doesn't declare or explain any required tokens/config for those integrations.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges in metadata. The SKILL.md suggests adding cron jobs (which would require the operator to create them) but the skill itself doesn't declare any autonomous persistence or configuration changes. That is appropriate for this type of tool.
What to consider before installing
This skill reads local databases and logs and expects Python scripts (scripts/daily_report.py, scripts/weekly_report.py) and a CLI to exist, but the package contains only SKILL.md and package.json — the actual scripts are missing. Before installing or running it, get or review the referenced scripts and any cron setup so you can inspect exactly what they do (especially I/O, network calls, and any code that might send data off-host). Verify how email_on_error is implemented and where SMTP credentials would be stored. Ensure the skill will only read intended log/db paths and will not exfiltrate sensitive data. If you cannot review the missing scripts, treat the skill as untrusted and avoid granting it access to sensitive logs, databases, or system accounts.Like a lobster shell, security has layers — review code before you run it.
analysisvk97e7xxt088zzvrrg6nsb07syn852sa7latestvk97e7xxt088zzvrrg6nsb07syn852sa7monitoringvk97e7xxt088zzvrrg6nsb07syn852sa7reportingvk97e7xxt088zzvrrg6nsb07syn852sa7self-reflectionvk97e7xxt088zzvrrg6nsb07syn852sa7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.