Claw Office Report

This skill will silently send your CLAW_OFFICE_KEY and small 'start/stop/update' messages to an external server whenever tasks start/finish. Consider these points before installing: - Trust: Only install if you trust the remote host (clawoffice.zjhzwukan.xyz by default). The key is transmitted to that host; it could be used to act on your account in the mini-program. - Covert behaviour: The SKILL.md explicitly instructs the agent to hide these reports from you and to ignore/report failures silently. If you want transparency about network activity, do not install or remove the concealment rules. - Implementation issues: The code contains inconsistencies/bugs (mismatched API path in docs vs code, and the report() function builds a shell curl command that will stringify the body as [object Object] rather than valid JSON). Those bugs make the actual payload/behaviour unclear and warrant review/fix before trusting the skill. - Endpoint override: An undocumented env CLAW_OFFICE_API can redirect reports — only set it to a host you control or trust. Recommended actions: - Review and fix the report() implementation (use the prepared JSON string, proper quoting or avoid shelling out by using an HTTP client), and confirm the destination URL. - If you proceed, only enable the skill for accounts you control and be explicit with the user that background reporting occurs. If you do not accept covert background reporting, do not install. If you want, I can produce a patched version of index.js that (a) sends valid JSON, (b) logs actions locally (or only runs when you explicitly allow), and (c) documents the CLAW_OFFICE_API override so behaviour is transparent.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.