ClawHub
Back to skill
v1.0.0

Sports Science Daily

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:25 AM.

Analysis

This looks like a coherent sports-science report generator, but it relies on Feishu/Notion credentials and external project code that users should review before running.

GuidanceBefore running this skill, review the referenced sports-science-daily project code and dependency file, use dedicated low-privilege Feishu/Notion credentials, verify the configured recipient and sharing settings, and be aware that each run can write local report/history files and publish a cloud document.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Output:\n- Feishu Cloud Document (auto-created with shareable link)\n- Feishu message card sent to configured recipient

The skill discloses that running it will create cloud documents and send a message card. This is aligned with the reporting purpose, but it is an external write/action users should intentionally approve.

User impactA normal run may create a shareable document and notify a configured Feishu user or chat.
RecommendationConfirm the recipient, sharing permissions, and workspace before running; avoid using production or broad-access integrations unless needed.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Run the update:\n```bash\npython3 main.py --days 2\n```\n... main.py # CLI entry point

The instruction-only skill references runnable project code and dependencies that are not included in the supplied artifact set. This is a provenance note: users should review the external project before executing it.

User impactInstalling the skill alone does not provide the code being run; if users fetch or already have the project, they are trusting code outside this artifact review.
RecommendationObtain the project from the stated repository, inspect main.py and requirements.txt, and prefer pinned dependencies before providing credentials or running the command.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
requires.env:\n  - FEISHU_APP_ID\n  - FEISHU_APP_SECRET\n  - FEISHU_RECEIVE_ID ... NOTION_TOKEN and NOTION_PAGE_ID

The skill asks for Feishu app credentials and optional Notion credentials to publish reports. This is expected for the stated Feishu/Notion sync purpose, but those credentials grant workspace integration authority.

User impactIf credentials are over-privileged or the recipient ID is wrong, the skill could publish documents or send cards in an unintended workspace or chat.
RecommendationUse dedicated, least-privilege Feishu and Notion integrations; verify FEISHU_RECEIVE_ID before running; rotate or remove tokens when no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
SKILL.md
Deduplicates against local history to prevent repeat content ... Updated `processed_history.json` for deduplication

The skill keeps local persistent state to decide what content has already been processed. This appears limited to public-source deduplication, but it can influence future reports.

User impactA stale or tampered history file could cause future articles to be skipped or reprocessed.
RecommendationKeep processed_history.json in the project directory, back it up if needed, and delete or inspect it when you want to reset deduplication behavior.