📦 Bug Report — Bug问题上报
v1.0.0监听“有xxx问题”“xxxBug”等关键词,自动把Bug信息写入企业微信智能表格,问题描述自动填入,处理进度默认“处理中”,处理人固定“姜春波”。
0· 60·0 当前·0 累计
by 下载技能包
最后更新
2026/4/2
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill does what it claims (posts reported bugs to a WeChat smart-sheet) but has several red flags you should address before installing. Key recommendations: (1) Do not install until you confirm why the npm package 'mcporter' is required — inspect that package's code and consider removing the install if unused. (2) Replace the hard-coded webhook key with a configured secret (environment variable) and verify who controls the webhook URL; do not expose tokens in skill files. (3) Avoid always:t...详细分析 ▾
⚠ 用途与能力
The skill's behavior (POST bug reports to a WeChat smart-sheet webhook) matches the description, but the declared required binary 'mcporter' (installed via an npm package) is not referenced in the provided runtime script (scripts/add_bug.sh) or SKILL.md workflow. Requiring/installing mcporter appears unnecessary for the described functionality and is disproportionate.
ℹ 指令范围
Runtime instructions and the script only construct a JSON payload and POST it to a single external webhook URL. They do not read other local files, env vars, or credentials. However the webhook URL (with an embedded key) is hard-coded into SKILL.md and the script, meaning any user-provided text matched as the 'issue' will be transmitted to that external endpoint.
⚠ 安装机制
The install spec will npm-install a package named 'mcporter' and provide a binary 'mcporter'. The code and instructions do not use this binary, so installing an arbitrary npm package is unnecessary and introduces risk (npm packages execute code at install time and may be untrusted). No well-known release host or justification is provided.
⚠ 凭证需求
The skill requests no env vars, but it embeds a long webhook key directly in SKILL.md and the script. That key functions as a credential granting write access to the remote smart-sheet; hardcoding it in the skill both exposes it to anyone with the skill bundle and makes the skill capable of exfiltrating user-submitted content to that endpoint. Not requesting secrets is not the same as avoiding excessive access.
⚠ 持久化与权限
The skill metadata sets always: true, meaning it will be force-included in every agent run. Combined with automatic posting to an external webhook, this increases the blast radius: the agent could more easily send user content to the webhook without explicit per-install consent. The always:true flag appears unnecessary for a reactive bug-reporting skill and is risky.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/4/2
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install global-bug
镜像加速npx clawhub@latest install global-bug --registry https://cn.longxiaskill.com