Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smart Report Generator
v1.0.0Automatically generate and schedule daily, weekly, or monthly reports with customizable templates and multi-platform IM push support.
⭐ 0· 126·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description promise scheduling and multi‑platform push (Feishu/企业微信/钉钉/Slack) but the shipped code only implements Feishu and Dingtalk sending and does not implement scheduling. The code does use an OpenClaw API client (for AI summary), which is consistent with an AI‑assisted report feature, but that credential is not declared in registry metadata or SKILL.md.
Instruction Scope
SKILL.md tells the user to pip install 'openclaw lark' and run the script with a config file. It does not mention that the script reads an OPENCLAW_API_KEY environment variable, nor does it list required Python packages used by the code (requests, pyyaml). The SKILL.md claims scheduling and broader platform support that the runtime instructions/code don't implement.
Install Mechanism
There is no formal install spec (instruction‑only with a code file). That is lower risk than arbitrary downloads, but SKILL.md's pip install command is incomplete: required runtime packages (requests, pyyaml) are not mentioned.
Credentials
The code reads OPENCLAW_API_KEY from the environment to call an OpenClaw API, but the skill metadata declares no required env vars or primary credential and SKILL.md doesn't instruct the user to set this key. Requiring an API key is reasonable for model calls, but it should be declared and documented. The config expects webhooks (sensitive endpoints) — that is in line with functionality but should be called out.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and does not require config paths beyond a local config file — no elevated persistence privileges detected.
What to consider before installing
Key things to consider before installing or running:
- Undeclared credential: report_bot.py reads OPENCLAW_API_KEY from the environment but the registry and SKILL.md don't mention this. If you run it and set that key, the script will call the OpenClaw API — only provide that key if you trust the service and the skill author.
- Missing dependency documentation: SKILL.md tells you to pip install 'openclaw lark' but the script also needs requests and pyyaml (PyYAML). Add/verify these packages before running.
- Feature mismatches: The markdown and description claim scheduling and Slack/企业微信 support, but the code does not implement scheduling and only implements Feishu and Dingtalk. Treat those claims as inaccurate until the author fixes them.
- Webhook safety: The config requires a webhook URL. Webhooks are sensitive; do not paste production or privileged webhooks without understanding where messages will be sent and who can receive them.
- Audit the code and run in a sandbox: The script is short and readable, but you should inspect the code yourself (or run it in an isolated environment) to confirm there are no hidden endpoints or unexpected network calls. Confirm what OpenClaw account the API key will be billed to and what data is sent to the API (weekly summary prompt includes full task list).
- What would change this assessment: if the author updates registry metadata to declare OPENCLAW_API_KEY as a required credential, updates SKILL.md to list all Python dependencies and clearly documents supported platforms and scheduling behavior (or implements these features), then the inconsistencies would be resolved and confidence would increase.Like a lobster shell, security has layers — review code before you run it.
latestvk97atkx3t7jb47qxy1h3t95qzh833w2j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.