ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

XMind Test Case Generator

v1.1.0

根据需求文档生成 XMind 格式测试用例。当用户要求"写测试用例"、"生成用例"、"写XMind用例"时使用。

0· 75·0 current·0 all-time
by@wxl1779766474
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, SKILL.md, reference.md and scripts/gen_xmind.py are consistent: the skill generates .xmind files from requirement docs and code analysis. Including a Python script that uses only stdlib to write a .xmind is proportionate to the stated purpose. However, SKILL.md explicitly refers to fetching Feishu documents (feishu_fetch-doc) and deep reading of code repositories, but the skill metadata does not declare any required credentials, tools, or config paths for Feishu or for repository access — an inconsistency between what the skill says it will do and what it declares it needs.
!
Instruction Scope
Runtime instructions require: re-pulling the full requirement document (if a Feishu link is provided), reading local files, and performing 'code deep analysis' including extracting client request URLs and reading service handlers. That means the agent (or the user running the script) will need to access potentially large/ sensitive documents and codebases. The SKILL.md also mandates outputting a list of code file locations involved in the requirement. While these steps are relevant to generating thorough test cases, they expand the skill's operational scope into reading arbitrary user files and possibly organization docs — this should be explicit and limited by the user.
Install Mechanism
No install spec; the included script uses only Python standard libraries (json, zipfile, os, uuid, sys) and writes a .xmind ZIP to ~/Desktop/工作/. Instruction-only + small script is low-risk from an installation/execution perspective. The script does not download remote code or execute subprocesses.
!
Credentials
The skill declares no required environment variables or credentials, but SKILL.md references fetching Feishu documents (feishu_fetch-doc) and reading code repositories. If the agent or operator needs to fetch Feishu docs automatically, Feishu API credentials or an agent tool with Feishu access are needed — these are not listed in requires.env. There is therefore a missing/undeclared requirement: either the skill expects the platform to provide a feishu_fetch-doc tool or the user to supply tokens, but this is not documented, which is disproportionate and could lead to accidental exposure if the user attempts to grant broad access to enable the skill.
Persistence & Privilege
The skill does not ask for always:true and does not declare modifications to system-wide settings. It runs as an instruction/script and writes output to the user's Desktop path (~ /Desktop/工作/). That write location is explicit in the script (generate_xmind) but is limited to the user's home directory; no persistent agent-wide privileges are requested.
What to consider before installing
What to consider before installing or running this skill: - Clarify Feishu access: SKILL.md expects to fetch full Feishu documents (feishu_fetch-doc) but the skill metadata does not declare Feishu credentials or how that fetch is performed. Ask the author whether the skill relies on a platform tool with Feishu access or whether you must supply a Feishu API token. Do not grant broad org-wide tokens until you verify the implementation. - Be cautious about granting the agent access to code repositories or local directories. The workflow explicitly requires deep reading of client/server code and extracting endpoints and handler locations — this is normal for thorough test-case generation, but it means the agent may read potentially sensitive source files. Prefer running the included script locally yourself against a curated subset of files instead of giving the skill autonomous file-system or repo access. - Review the included script before use. The provided scripts/gen_xmind.py is short, uses only Python stdlib, creates a .xmind ZIP, and writes to ~/Desktop/工作/<name>.xmind. It does not perform network requests or run external commands — that reduces risk. Still, verify the output path and that overwriting existing files is acceptable. - Limit exposure: If you must let the agent fetch docs, provide only the specific documents needed (or a temporary API token scoped to a single document) and avoid giving blanket access to all project repos or to organization-level data. - Ask for clarification from the skill author about undeclared requirements: request a clear list of required tools/credentials (e.g., Feishu token, repo access method) and whether the skill will ever transmit fetched documents or code off the host. The current mismatch (instructions that need Feishu + no declared creds) should be resolved before enabling automatic execution. If you're unsure, run gen_xmind.py yourself on a local, sanitized copy of the requirement document and a limited set of code files rather than giving the skill autonomous access to your systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk972spspchy2dxz6fa6cp8z1td838d5kqavk972spspchy2dxz6fa6cp8z1td838d5ktestcasevk972spspchy2dxz6fa6cp8z1td838d5kxmindvk972spspchy2dxz6fa6cp8z1td838d5k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments