ClawHub

备课AFP · Course-Prep-Auto-Flow

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent course-prep workflow, but it uses external image-generation and Feishu document APIs plus a helper script that users should explicitly trust before use.

This skill appears safe for its stated purpose if you are comfortable using the referenced image-generation provider, helper script, and Feishu API. Before running it, verify the API endpoint, use limited-scope credentials, and avoid supplying private or sensitive course materials unless those external services are approved for that data.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Image generation depends on code from another installed component that was not reviewed here.

Why it was flagged

The skill tells the agent how to run a helper script from another skill directory, but that helper script is not part of the provided artifact set.

Skill content
bun ~/.openclaw/skills/baoyu-image-gen/scripts/main.ts
Recommendation

Only run the helper if you recognize and trust the referenced image-generation skill, and review its permissions separately.

#ASI03: Identity and Privilege Abuse
Low
What this means

Your API key and Feishu account permissions may be used to generate images, send media, and create documents.

Why it was flagged

The skill expects API credentials/account authority for image generation and Feishu document creation, even though registry metadata declares no required credentials.

Skill content
GOOGLE_API_KEY="[KEY]" GOOGLE_BASE_URL="https://work.poloapi.com" ... 图片生成后通过飞书API发给用户 ... 创建飞书备课稿文档
Recommendation

Use scoped or disposable API keys where possible, confirm the configured API endpoint, and make sure the Feishu account has only the permissions needed for the task.

#ASI07: Insecure Inter-Agent Communication
Low
What this means

Course materials or generated outputs could be sent to third-party services as part of the workflow.

Why it was flagged

User-provided materials, prompts, images, or generated course content may be processed through external vision/image and Feishu services.

Skill content
参考素材(URL/文件路径/内容) ... PPT图片格式素材用vision识别 ... GOOGLE_BASE_URL="https://work.poloapi.com" ... 通过飞书API发给用户
Recommendation

Avoid using confidential course materials unless you are comfortable with the configured provider and Feishu workspace handling that data.