ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Smart Daily Report by YQG

v3.0.2

Intelligent work report generator that collects activity from project history, task managers, and calendars to produce professional daily/weekly reports. Fea...

0· 42·0 current·0 all-time
byAlex@yqghlx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes collecting commit history, task manager data, and calendar items — which reasonably requires access to local git repos, a todoist client or API, and possibly calendar APIs. However the skill's metadata declares no required binaries or credentials. That is an incoherence: the instructions expect tools like git, an optional todoist CLI, and Feishu export capability but the skill does not declare these dependencies or any credentials.
!
Instruction Scope
Runtime instructions explicitly tell the agent to scan for project directories in common locations (workspace, home, desktop), read commit logs across branches, collect file/line change stats, and optionally use CLIs/APIs (todoist, feishu_doc). Scanning a user's home/workspace and reading many repo histories is broad and can access sensitive data; while this is functionally consistent with generating reports, the instructions give the agent wide discretion (search patterns, which directories to include) without safeguards or limits.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write code to disk or download external packages. That reduces installation risk.
Credentials
The skill declares no required environment variables or credentials, yet the instructions reference integrations (todoist CLI, Feishu doc export) which in practice require credentials or API access. The lack of declared env vars is an omission but not necessarily malicious — it likely assumes optional, user-provided tooling. Still, users should be aware the agent may prompt for or need credentials to use those features.
Persistence & Privilege
Flags show always:false and no special OS restrictions. The skill does not request permanent presence or elevated privileges in the metadata. Autonomous invocation is allowed by default (normal for skills) and does not combine here with other privilege escalations.
What to consider before installing
What to consider before installing: - This skill will (if allowed) search your filesystem for project directories (home, workspace, desktop) and read git commit logs and diff stats — that can expose any code or commit messages in those locations. If you have sensitive repos, only allow it access to specific folders or run it in a controlled workspace. - The SKILL.md expects tools like git and optionally todoist CLI and Feishu export, but the skill metadata does not declare those dependencies or any credentials. Expect the agent to ask you for access/credentials when you try to use those integrations. - If you want safer use, restrict the agent to explicit directories (tell it which repo paths), avoid enabling automatic scanning of your entire home, and avoid granting external service credentials (Feishu/Todoist) unless you trust the skill and want exports. - Consider testing on a small project or dummy data first. If you need higher assurance, ask the skill author/homepage for details about which commands it will run and what exact data it collects.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dbmkzxawqmbm4bzcnnpgndx83yq4k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments