Skillv1.0.0

ClawScan security

finebi-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 10, 2026, 1:21 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with a FineBI → reporting/syncing use case: it asks for FineBI URL/username/password, expects node, and contains detailed SOPs for exporting, previewing, and pushing BI data to Feishu artifacts.
Guidance: This skill appears coherent for integrating FineBI with reporting and Feishu workflows, but review before enabling: 1) Only provide FineBI credentials (use a least-privileged account or API user). 2) Confirm your OpenClaw environment has node and any finebi-cli the platform expects. 3) Be aware the skill may copy exported PDFs/images from temporary locations into the agent workspace — ensure you are comfortable with the agent reading files placed there and that paths are limited to the exported artifacts. 4) Platform actions the skill calls (create-task, send-message-card, create-doc, bitable writes) depend on the host/platform connectors and permissions; ensure those integrations are configured and scoped appropriately. 5) Because this is instruction-only (no shipped code), the runtime behavior depends entirely on the platform's tool implementations — review audit logs and test with non-production data and limited credentials first.

Review Dimensions

Purpose & Capability: okName/description (FineBI integration, data analysis, export, sync) align with the declared requirements: node binary and FineBI credentials (FINEBI_BASE_URL, FINEBI_USERNAME, FINEBI_PASSWORD). There are no unrelated env vars or binaries requested.
Instruction Scope: noteThe SKILL.md contains comprehensive, low‑freedom SOPs that restrict actions to FineBI data flows (search, preview, export) and downstream platform actions (create-task, send-message-card, create-doc, bitable writes). It instructs copying exported PDFs from temp directories into the workspace (examples using cp / Copy-Item) and to use the platform's built-in pdf tool for analysis only. This file-system copying is reasonable for processing exported artifacts but means the agent will operate on local file paths (examples reference user workspace paths). Verify that copying is limited to the expected exported files and not used to read arbitrary files.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code. Lowest installer risk; it relies on an existing node binary (reasonable if finebi-cli is node-based).
Credentials: okRequested env vars (FINEBI_BASE_URL, FINEBI_USERNAME, FINEBI_PASSWORD) are appropriate and proportional for accessing a FineBI instance. No extra unrelated secret/env var requests are present. The skill references downstream actions to send messages/create tasks/create docs (Feishu) but does not request Feishu credentials — those likely come from platform connectors, which is expected.
Persistence & Privilege: okalways is false and the skill is user-invocable. There is no install step that persists code or modifies other skills; no elevated persistence requested.