chatbi-skil-test
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it says, but it embeds production-looking ChatBI account/workspace/table identifiers and uses a plaintext remote API by default, so users should review its data-access boundary carefully.
Install only if you are authorized to use the embedded ChatBI workspace and tables. Prefer replacing the hardcoded endpoint and identifiers with your own scoped, read-only configuration, verify that the service uses a trusted HTTPS/TLS path, and avoid raw/debug output for confidential data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Queries may run against a preconfigured ChatBI production workspace or tables rather than the installing user's own scoped account.
These fixed account/workspace/room values are included in the API payload for each query, while the registry metadata declares no primary credential or required config. The artifacts do not show a clear per-user authorization boundary.
namespace: str = "Production" ... uin: str = "100046891355" ... owner_uin: str = "100045409577" ... workspace_id: str = "17706053554554763" ... room_key: str = "825697144996966400"
Require user-provided, least-privilege ChatBI credentials or workspace configuration; document the exact datasets authorized; and remove hardcoded production account identifiers from the default skill.
Sensitive business questions, workspace/table identifiers, and returned data could be exposed if the network path is not otherwise protected.
The default provider endpoint uses plaintext HTTP. The client posts the user's question and configuration payload to this URL and receives the query results from it.
api_url: str = "http://llmapp-prod.testsite.woa.com/api/v1/chatflows/80fbae66-9abc-42ed-8270-5ec0bcd5e526/prediction"
Use an HTTPS/TLS endpoint by default, document the trusted destination, and avoid sending sensitive enterprise data unless the transport and service boundary are verified.
A broad or mistaken question could cause backend SQL queries that return more business data than intended.
The skill explicitly delegates natural-language questions to a backend agent that generates and executes SQL. This is disclosed and central to the purpose, but it is still a powerful data operation.
自然语言问数 → 意图理解 → 智能选表 → SQL 生成执行 → 获取结果
Use explicit questions, review generated SQL and result scope, and ensure the ChatBI backend enforces read-only access and dataset-level permissions.
Saved debug files may contain sensitive enterprise query results and could be copied or retained unintentionally.
The optional debug path writes all raw streamed events to a local JSON file. Those events may include queries, generated SQL, table choices, and returned data.
if args.save_raw: ... json.dump(response.raw_events, f, ensure_ascii=False, indent=2)
Avoid --save-raw for confidential data, store any debug files securely, and delete them when no longer needed.
Future dependency versions could behave differently or introduce vulnerabilities.
The dependency is installed from a version range rather than an exact pinned version or lockfile. This is common for simple CLIs, but it is less reproducible.
requests>=2.28.0
Pin dependencies or provide a lockfile and install from a trusted package index.