ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weekly Report Flow

Generate and submit weekly reports from Aliyun DevOps workitems via EMOP API. Use when asked to run the weekly report flow, backfill missing weeks, or explai...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 40 · 0 current installs · 0 all-time installs
by@yaojiangfeng
duplicate of @yaojiangfeng/weekly-report-flow-yjf
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's functionality (Aliyun DevOps -> summary -> EMOP submission) aligns with the endpoints and tokens described in SKILL.md and references/urls.md. However, the registry metadata lists no required environment variables or primary credential while SKILL.md explicitly requires DEVOPS_TOKEN and EMOP token — a clear metadata mismatch that reduces transparency.
!
Instruction Scope
Runtime instructions tell the agent to use a 'browser session' if API returns 403 and to iterate pages/filter client-side, and they reference local script entrypoints and an output path under C:\Users\Administrator\.openclaw\workspace. Those instructions could lead the agent to rely on browser cookies or local files not declared in the metadata; SKILL.md also says 'never write to disk' for tokens yet references an output markdown file, a contradictory scope.
Install Mechanism
No install spec and no code files are included (instruction-only). This minimizes disk-write/install risk. However, references to local scripts suggest the workflow expects local tooling that is not packaged with the skill.
Credentials
Requesting a DevOps API token and an EMOP token is proportionate to the described task. But those environment requirements are not declared in the skill metadata. Additionally, variable naming is inconsistent (SKILL.md mentions both 'EMOP token' and 'EMOP_TOKEN') and instructions imply possible access to browser/local state beyond the tokens, which is not justified or declared.
Persistence & Privilege
The skill is not always-enabled and does not request permanent presence. It does reference local workspace files but does not attempt to modify other skills or system-wide settings according to the provided files.
What to consider before installing
This skill appears to do what it claims (pull Aliyun DevOps items and post summaries to an EMOP endpoint), but there are several inconsistencies you should resolve before installing or running it: - Metadata mismatch: SKILL.md requires DEVOPS_TOKEN and EMOP token but the registry metadata lists no required env vars. Ask the publisher to declare required env vars in metadata and confirm exact variable names (DEVOPS_TOKEN vs EMOP_TOKEN). - Browser-session instruction: The guidance to 'use browser session if direct API returns 403' is vague. Clarify how the skill will access the browser session (will it ask you to paste cookies/CSRF tokens, or try to read browser profile data?). Accessing browser cookies or profiles can expose other credentials — do not allow that without understanding the mechanism. - Local paths referenced: references/cli.md points to scripts and output files under C:\Users\Administrator\.openclaw\workspace. Ask whether the skill will execute those local scripts or expects you to run them. If the skill will execute local files, request the exact code and a security review. If not, the references should be removed. - Test in dry-run: Before giving production tokens, test with a limited-scope/dev token and a sandbox EMOP endpoint (or a mock) to confirm behavior and output format (HTML <ol><li>…</li></ol>), and verify no unexpected local or browser access occurs. - Validate endpoints and token scope: Confirm the EMOP endpoint (https://emop.oureman.com/api/weekly/report) is correct and that the tokens you supply are scoped to only allow the necessary operations (posting weekly reports) and can be revoked. If the publisher can (1) fix metadata to list required env vars and names, (2) remove or clearly document any steps that require reading browser cookies or executing local scripts, and (3) provide the local scripts for review (or confirm they are optional), my confidence in this skill would increase.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk975v7947depjhqjgmazmf29en83gn9q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Weekly Report Flow (DevOps → Summary → EMOP)

When to use

  • User asks to generate/submit weekly reports.
  • User asks to backfill missing weeks.
  • User asks to automate the DevOps→summary→EMOP flow.

Required inputs

  • DEVOPS_TOKEN in environment (never write to disk)
  • EMOP token in environment (never write to disk)
  • Assignee default: 姚江峰
  • Types: 需求/任务/缺陷

Workflow

  1. Pull DevOps workitems

    • Use browser session if direct API returns 403.
    • Endpoint: /projex/api/workitem/workitem/list?_input_charset=utf-8
    • Header: x-yunxiao-token: $DEVOPS_TOKEN
    • Page size 200, iterate all pages.
    • Filter in client by assignee/nickName and type.

  2. Classify

    • Include current sprint workitems.
    • Include last-week created items not in current sprint.
    • Last week: Mon 00:00 → Sun 23:59 (Asia/Shanghai).

  3. Summarize

    • 200–300 Chinese characters, department-formal, not流水账.
    • Output Markdown and also HTML ordered list <ol><li>...</li></ol>.

  4. Submit to EMOP

    • POST https://emop.oureman.com/api/weekly/report
    • Headers: token: $EMOP_TOKEN, Content-Type: application/json; charset=utf-8
    • Body fields:
      • date: single day (last Friday, yyyy-MM-dd)
      • reportDate: ISO UTC yyyy-MM-ddTHH:mm:ss.000Z
      • content: <ol><li>...</li></ol>
    • Ensure UTF-8 bytes to avoid乱码.

Backfill mode

  • For each missing week (by Friday date), pull DevOps items for that week and generate summary.
  • Submit one report per week.

References

  • See references/urls.md for project URLs and IDs.
  • See references/cli.md for local script entrypoints.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…