issue-request-manager
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This looks like a benign issue-tracking helper, but it stores issue data locally and can send issue details through configured WeChat credentials.
Before installing, treat this as a local issue manager with optional WeChat notifications. Protect any WeChat Secret, verify message recipients, do not assume GitHub/GitLab/Jira integration is implemented, and confirm close/assign/priority changes before using them on real project data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users should not assume the skill will safely synchronize with external trackers unless they add and review that integration themselves.
The included code shows local issue objects, local JSON persistence, and WeChat notification helpers, but no GitHub/GitLab/Jira connector implementation.
支持多平台集成(GitHub, GitLab, Jira等)
Treat the included artifacts as a local issue manager with optional WeChat notifications; verify any external tracker integration before relying on it.
If later connected to a real project tracker, these actions could reassign, reprioritize, or close real work items.
These are issue-mutating operations; they fit the skill purpose and are documented as user commands, but they can affect workflow state.
`assign issue #<编号> to <用户>` ... `set priority #<编号> to <级别>` ... `close issue #<编号>`
Confirm mutating actions before applying them to real project systems, especially close or reassignment operations.
Future installs could resolve to different dependency versions than the author tested.
The dependency versions are lower-bound ranges rather than pinned or locked versions; installation is user-directed and no remote script is shown.
json5>=0.9.0 requests>=2.25.1
Pin or lock dependency versions before production use, and install only from trusted package sources.
Anyone with the configured WeChat app secret may be able to send messages through that enterprise application.
The notifier uses a configured enterprise WeChat secret to obtain an access token; this is expected for WeChat notifications but grants delegated messaging authority.
"corpsecret": self.secret; response = requests.get(url, params=params)
Use a least-privilege WeChat application, protect the Secret, rotate it if exposed, and avoid committing real credentials into config files.
Issue titles, descriptions, status, and assignee information may be disclosed to the selected WeChat users.
Issue notification messages can include issue descriptions and are sent to configured WeChat recipients through the WeChat API.
描述: {issue.get('description', 'N/A')[:100]}...; https://qyapi.weixin.qq.com/cgi-bin/message/sendVerify recipient lists and avoid sending sensitive customer, security, or internal details to broad groups.
Stored issue descriptions, comments, and assignees can remain on disk after use.
Issue data is persisted locally across runs in a JSON database, which is appropriate for the skill but may contain sensitive issue text.
db_path: str = "data/issues.json"; json.dump(self.issues, f, ensure_ascii=False, indent=2)
Store the data directory in an appropriate project location, protect it with normal file permissions, and delete or archive it when no longer needed.