ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weekly Report Flow Yjf

Generate and submit weekly reports from Aliyun DevOps workitems via EMOP API. Use when asked to run the weekly report flow, backfill missing weeks, or explai...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 43 · 0 current installs · 0 all-time installs
by@yaojiangfeng
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described capability (generate weekly reports from Aliyun DevOps and submit to EMOP) aligns with the API endpoints and payloads in SKILL.md and references. However the package metadata declared no required environment variables while the SKILL.md explicitly requires DEVOPS_TOKEN and EMOP_TOKEN — this mismatch reduces trust in the packaging and documentation.
!
Instruction Scope
Instructions tell the agent to use DevOps API and POST to EMOP (expected), but also say to 'Use browser session if direct API returns 403' without specifying how. That fallback could push an agent to access browser cookies/sessions or other local state. The references file lists absolute local script paths and an output markdown path under C:\Users\Administrator\.openclaw\workspace, suggesting the skill expects or references local artifacts; the SKILL.md simultaneously says 'never write to disk' for tokens — these contradictions are concerning.
Install Mechanism
This is instruction-only with no install spec and no code files, so there is no installer risk. Nothing will be written to disk by an install step in this package itself.
!
Credentials
The runtime needs two sensitive secrets (DEVOPS_TOKEN and EMOP_TOKEN) which are reasonable for the stated purpose, but the skill metadata did not declare required env vars or a primary credential. That omission is an inconsistency that could lead to accidental credential leakage or misuse. Also the instructions' ambiguous browser-session fallback raises the risk that other local credentials or cookies could be accessed if not properly constrained.
Persistence & Privilege
always:false and no install/persistence mechanism are present. The skill does not request permanent presence or elevated platform privileges in the manifest.
What to consider before installing
This skill appears to do what it claims (pull from Aliyun DevOps and POST summaries to EMOP), but packaging and instructions are inconsistent in ways that increase risk. Before installing or running it: - Ask the author to correct the manifest to list required environment variables (DEVOPS_TOKEN, EMOP_TOKEN) and to declare a primary credential. The manifest should match SKILL.md. - Clarify the 'use browser session' fallback. Do not allow any automated agent action that reads browser cookies, local browser storage, or other system secrets unless you explicitly audit and approve that behavior. - Inspect any referenced local scripts (the listed C:\Users\Administrator\.openclaw\workspace files). The skill references local script paths — open and review those files before running anything that will execute them. - Provide least-privilege tokens: use service account or scoped tokens that can only read workitems or submit reports, and be prepared to rotate them. - Run first in a restricted environment or sandbox and monitor outbound requests to confirm only the documented endpoints (devops.aliyun.com and emop.oureman.com) are contacted. If the author cannot or will not fix the manifest/instructions and explain the browser-session behavior and referenced local scripts, treat the skill as unsafe to use with sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk979ve30b7wxrrfx05pspn4mss83gw09

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Weekly Report Flow (DevOps → Summary → EMOP)

When to use

  • User asks to generate/submit weekly reports.
  • User asks to backfill missing weeks.
  • User asks to automate the DevOps→summary→EMOP flow.

Required inputs

  • DEVOPS_TOKEN in environment (never write to disk)
  • EMOP token in environment (never write to disk)
  • Assignee default: 姚江峰
  • Types: 需求/任务/缺陷

Workflow

  1. Pull DevOps workitems

    • Use browser session if direct API returns 403.
    • Endpoint: /projex/api/workitem/workitem/list?_input_charset=utf-8
    • Header: x-yunxiao-token: $DEVOPS_TOKEN
    • Page size 200, iterate all pages.
    • Filter in client by assignee/nickName and type.

  2. Classify

    • Include current sprint workitems.
    • Include last-week created items not in current sprint.
    • Last week: Mon 00:00 → Sun 23:59 (Asia/Shanghai).

  3. Summarize

    • 200–300 Chinese characters, department-formal, not流水账.
    • Output Markdown and also HTML ordered list <ol><li>...</li></ol>.

  4. Submit to EMOP

    • POST https://emop.oureman.com/api/weekly/report
    • Headers: token: $EMOP_TOKEN, Content-Type: application/json; charset=utf-8
    • Body fields:
      • date: single day (last Friday, yyyy-MM-dd)
      • reportDate: ISO UTC yyyy-MM-ddTHH:mm:ss.000Z
      • content: <ol><li>...</li></ol>
    • Ensure UTF-8 bytes to avoid乱码.

Backfill mode

  • For each missing week (by Friday date), pull DevOps items for that week and generate summary.
  • Submit one report per week.

References

  • See references/urls.md for project URLs and IDs.
  • See references/cli.md for local script entrypoints.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…