ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weekly Report Generator

v1.0.0

AI-powered weekly report generator. Scans GitHub issues/PRs, calendar events, reminders, and project files to generate a polished weekly report in Markdown....

0· 71·0 current·0 all-time
by@fx-world888

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fx-world888/weekly-report-fx.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Weekly Report Generator" (fx-world888/weekly-report-fx) from ClawHub.
Skill page: https://clawhub.ai/fx-world888/weekly-report-fx
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install weekly-report-fx

ClawHub CLI

Package manager switcher

npx clawhub@latest install weekly-report-fx
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (aggregate GitHub, calendar, reminders) matches the included code which clearly implements GitHub collection and local report generation. However SKILL.md and README reference additional source modules (scripts/sources/*) and calendar/reminder integrations that are not present in the file manifest; this suggests either incomplete packaging or overstated capabilities.
Instruction Scope
The runtime instructions focus on fetching GitHub data and generating a local report, which is within scope. They instruct users to set GITHUB_TOKEN and optional FEISHU/Reminders integrations. The code uses GITHUB_TOKEN and dotenv; reminders/calendar integrations are described as relying on other skills but the code's reminders collector is a placeholder that returns no data. Instructions are not asking the agent to read unrelated system files, nor to exfiltrate to unknown endpoints.
Install Mechanism
There is no install spec that downloads remote archives or executes installers; the package simply includes a Node script and package.json listing small, common dependencies (date-fns, dotenv). This is low risk from an installation-source perspective.
!
Credentials
Registry metadata lists no required environment variables, yet SKILL.md and the script document and use GITHUB_TOKEN (and README mentions FEISHU_APP_ID/FEISHU_APP_SECRET). The skill loads .env via dotenv, which means any local .env secrets could be read at runtime. The absence of declared required env vars in the registry is an inconsistency that reduces transparency and could surprise users who assume no credentials are needed.
Persistence & Privilege
The skill is not force-enabled (always:false) and does not request system-wide configuration changes or elevated privileges. It runs as a one-off script and does not persist or modify other skills' settings.
What to consider before installing
This skill appears to implement GitHub-based weekly reports and does not contain obviously malicious code, but there are mismatches you should be comfortable with before installing: - The registry metadata declares no required env vars, but the code uses GITHUB_TOKEN and README/SKILL.md mention FEISHU and reminders credentials. Treat this as an omission and assume you must provide a token for private repo access. - The SKILL.md/README reference additional source files (calendar/reminders collectors) that are not included. The missing files may mean some integrations won't work or the package is incomplete. - The script uses dotenv and will load a local .env if present — ensure your .env does not contain unrelated secrets you don't want the skill to read. Steps to reduce risk: - Inspect the included scripts/generate-report.mjs yourself (or have a developer do so) to confirm where network calls are sent (GitHub API is expected). Look for any hard-coded remote endpoints beyond api.github.com. - If you must provide a GITHUB_TOKEN, create a token with the minimum scopes required (public_repo or repo scope as needed), or use a read-only token / throwaway account if you want to test. - Run the skill in dry-run mode first and with GITHUB_TOKEN unset to verify behaviour without exposing credentials. - Ask the publisher for the missing source files or a project homepage and verify the author (fx-world888) before providing any private credentials. Given the inconsistencies (undeclared env vars, missing modules), I mark this as suspicious rather than benign; these could be harmless packaging oversights but deserve verification.
scripts/generate-report.mjs:73
Environment variable access combined with network send.
!
scripts/generate-report.mjs:8
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97awx6r1ghhm9acfzhbvpyztx84drdw
71downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@fx-world888
latest
Download

Weekly Report Generator

AI-powered weekly report generator that aggregates your week's work across multiple sources.

Features

  • GitHub Integration: Scan issues, PRs, commits from specified repositories
  • Calendar Integration: Pull meeting summaries from Feishu Calendar
  • Task Integration: Check completed tasks from Apple Reminders or Things 3
  • AI Summarization: Use AI to distill raw data into meaningful insights
  • Multiple Formats: Output as Markdown, HTML, or plain text
  • Customizable Styles: Detailed, concise, or executive summary styles

Setup

1. Configure GitHub Token (optional - for private repos)

export GITHUB_TOKEN=ghp_your_token_here

2. Configure Reminders (optional)

The skill uses the built-in apple-reminders or things3 skills if available.

3. Configure Feishu Calendar (optional)

Set your Feishu calendar integration if needed.

Usage

Basic - This Week's Report

generate-weekly-report

Generate for Last Week

generate-weekly-report --week-offset -1

Detailed Executive Report

generate-weekly-report --style executive --format markdown

Output Example

# Weekly Report — 2026 Week 14

## Summary
Generated on: 2026-04-07
Period: April 7, 2026 → April 13, 2026

## 🚀 Accomplishments

### GitHub Activity
- Closed 5 issues across 3 repositories
- Merged 3 pull requests
- 12 commits pushed

### Tasks Completed
- Finished API integration for Dashboard
- Fixed authentication bug in Login flow
- Reviewed PR #142

### Meetings
- Sprint Planning (Monday)
- 1:1 with Engineering Manager (Friday)

## 📊 Metrics
- **PRs Merged**: 3
- **Issues Closed**: 5
- **Commits**: 12

## 🎯 Next Week's Goals
- Continue dashboard development
- Start user feedback implementation

Architecture

  • scripts/generate-report.mjs — Main report generation engine
  • scripts/sources/github.mjs — GitHub data collector
  • scripts/sources/reminders.mjs — Task manager collector
  • scripts/sources/calendar.mjs — Calendar collector
  • scripts/ai/summarize.mjs — AI summarization module

License

MIT

Comments

Loading comments...