Skillv1.0.0

ClawScan security

自媒体矩阵管家虾 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 9, 2026, 8:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are internally consistent with a multi-account social-media reporting tool; it processes user-provided CSV data locally and generates reports, and it does not request unexplained credentials or install arbitrary code.
Guidance: This skill appears to do what it says: load a CSV of account metrics, compute metrics and alerts, and produce a Markdown report. Before installing or running it: 1) Confirm your input files are CSV (the script does not parse Excel files). 2) Be aware uploaded data will be written to the agent workspace — avoid including sensitive credentials or PII in those CSVs. 3) If you want automated pushes to Feishu or chat, you'll need to supply credentials to the separate messenger/Feishu integration (this skill does not request or manage those creds). 4) Test with a small dataset first (notes say large matrices >50 accounts should be batched). 5) If you need Excel support or automatic push behavior, request or inspect additional code that handles those features before granting access. Overall the skill is coherent and low-risk, but follow standard data-handling precautions.

Review Dimensions

Purpose & Capability: noteThe name/description match the included script and reference files: the Python script parses account CSVs, computes metrics, detects anomalies, and builds a Markdown report as described. Minor mismatch: SKILL.md states it accepts 'CSV/Excel' files, but the provided script only implements CSV parsing (csv.DictReader) and has no Excel parsing dependency.
Instruction Scope: noteInstructions keep to the stated purpose: save user-provided data to the workspace and run the analysis script. They do reference creating a Feishu doc (feishu_create_doc) and sending messages via a 'message' tool for pushing reports; those are external integrations and are only suggested — the skill itself does not contain code that calls network endpoints. The SKILL.md does instruct storing files in the workspace; users should be aware that uploaded data will be written to disk.
Install Mechanism: okNo install spec is provided and the skill is instruction-only plus a small local script. Nothing is downloaded or installed by the skill, so there is no install-time risk.
Credentials: noteThe skill declares no required environment variables or credentials, which is appropriate for a local CSV-processing tool. However, the SKILL.md references external push mechanisms (Feishu/group message) that in practice require credentials — those are not declared here. That is a minor inconsistency (the skill itself does not automatically acquire or request those credentials).
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system configuration.