Fbs Bookwriter.Hold
WarnAudited by ClawScan on May 10, 2026.
Overview
This mostly looks like a long-form writing tool, but it also carries under-declared account/payment credential signals and persistent host-memory access that deserve careful review.
Install only if you are comfortable with a script-heavy local writing assistant. Keep it sandboxed, use a dedicated manuscript folder, review npm dependencies, avoid disabling the sandbox, and do not provide OAuth tokens, WeCom credentials, or payment-related approval unless the skill clearly explains the provider, scope, and cost.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may ask for or use account tokens, sensitive credentials, or paid/entitlement actions that a user would not expect from a writing-only description.
These signals indicate account, payment, or secret-handling authority, while the registry metadata declares no primary credential or required environment variables and the SKILL.md description centers on writing/export automation.
can-make-purchases; requires-oauth-token; requires-sensitive-credentials
Require explicit documentation of each credential, provider, scope, and purchase/entitlement action; ensure any OAuth, WeCom, payment, or credit-related operation is opt-in and confirmed by the user.
Book content, user preferences, style information, or project state could be stored and reused in later sessions, including outside the immediate writing turn.
The skill describes persistent project memory and host-memory mutation, but the artifacts do not fully bound what host memory is modified, how long it is retained, or when user approval is required.
"hostMemory": { "operations": ["create", "update", "delete"], ... "authoritativeBookState": ".fbs/smart-memory/ 与 session-exit 落盘" }Use a dedicated book root, review and clean .fbs memory files, and require clear consent before creating, updating, deleting, or importing host-level memory/profile data.
Running the skill can execute local scripts and commands with the permissions of the OpenClaw process.
Static scan shows local shell execution, including PowerShell with execution-policy bypass. The skill is openly Node-script driven, so local execution is expected, but this is still high-impact authority.
const r = spawnSync('powershell', ['-NoProfile', '-ExecutionPolicy', 'Bypass', '-File', tmpPs1], {Run it only from a trusted workspace, keep sandboxing enabled where possible, inspect commands before invoking optional diagnostics, and avoid running publish/development scripts unless you intend to.
Installing dependencies may run package-manager behavior outside the skill instructions, depending on package contents and npm settings.
The skill requires a user-directed npm dependency install despite having no formal install spec. This is normal for a Node tool, but dependency provenance and install-time behavior should be reviewed.
在技能根执行一次依赖安装: `npm install`
Inspect package.json and any lockfile before installation; consider running npm install in a sandbox or with lifecycle scripts disabled if you only need to review the skill.