Back to skill
Skillv1.0.10
ClawScan security
Health Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 9:48 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code, instructions, and requested environment access are coherent with a health-reporting tool that reads local markdown records, generates PDFs, and optionally pushes reports to configured webhooks; nothing appears to be requesting unrelated secrets or performing unexpected network exfiltration beyond the declared webhook functionality.
- Guidance
- This skill appears to do what it says: read local health notes, generate a PDF report, and optionally push it to webhooks. Before installing, do the following: (1) Inspect and confirm the config/.env and config/user_config.json — do not put secrets you don't trust into webhook fields. (2) Ensure MEMORY_DIR points only to the directory with the intended health markdown files (the script will read files there). (3) If you plan to host PDF reports on a web directory, verify REPORT_WEB_DIR and REPORT_BASE_URL point to a secure location you control — otherwise sensitive reports could be exposed. (4) Install into a Python virtualenv and pin dependencies (reportlab, Pillow) rather than using system Python. (5) If you do not want automatic external pushes, leave webhook vars empty; the code will still generate local PDFs. (6) Note minor metadata inconsistencies (registry header said no env vars / no install spec while SKILL.md and _meta.json require MEMORY_DIR and list an install command); these are probably packaging oversights — consider confirming the repo/version before trusting a published copy.
Review Dimensions
- Purpose & Capability
- noteThe skill's name/description (health report, PDF, multi-channel push) matches the code and declared capabilities: it reads user health records (MEMORY_DIR), generates PDFs, and posts to Dingtalk/Feishu/Telegram. Minor inconsistencies: the registry summary at the top of the package metadata said "Required env vars: none" while SKILL.md and _meta.json list several env vars (MEMORY_DIR is required). The SKILL.md also contains an 'install: pip install -r requirements.txt' line even though the registry said 'No install spec'. These are metadata mismatches but do not indicate malicious behavior.
- Instruction Scope
- okRuntime instructions and scripts explicitly read health records from the configured MEMORY_DIR, parse them, generate local PDF reports, and optionally send them via configured webhooks. The SKILL.md and README include clear warnings about data export and instruct the user to supply webhook targets. The instructions do not ask the agent to read unrelated system paths or arbitrary credentials.
- Install Mechanism
- okInstallation is via pip install -r requirements.txt (reportlab, Pillow). This is a standard Python install of known packages and the repository contains the code being run. No downloads from untrusted URLs, no archive extracts from unknown hosts, and no brew/npm installers. Installing Python packages is moderate-risk (as with any pip install) but proportionate for PDF generation.
- Credentials
- noteRequested environment variables (MEMORY_DIR required, plus optional TAVILY_API_KEY, DINGTALK_WEBHOOK, FEISHU_WEBHOOK, TELEGRAM_BOT_TOKEN/CHAT_ID, REPORT_WEB_DIR, REPORT_BASE_URL) are consistent with the described functionality. The only caution is that if a user configures REPORT_WEB_DIR/REPORT_BASE_URL to a public webroot, generated PDFs containing personal health data will become publicly accessible — the skill warns about this, but users must ensure they only set public URLs they control. No unrelated cloud credentials are requested.
- Persistence & Privilege
- okThe skill does not request 'always: true' and does not modify other skills or global agent settings. It includes scripts and a suggested crontab for scheduled runs, but scheduling is user-driven (the package contains a cron helper and a daily script). Autonomous invocation by the agent is allowed (default) which is normal — there are no additional privilege escalations in the package.