weekly-menu Security Report — Trusted | ClawSafe

5 /100

weekly-menu

Generate a weekly meal plan with images, recipes, and shopping lists via Xiaohongshu search and Feishu document creation

This is a pure-documentation skill with no executable code — it defines a workflow for generating weekly meal plans via Feishu API and Xiaohongshu search, with all capabilities fully declared in SKILL.md.

Skill Nameweekly-menu

Duration28.3s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use.

Findings 1 items

Severity	Finding	Location
Low	References workspace paths without confirming bundled files Doc Mismatch SKILL.md references meals/profile.yaml and workspace/tmp/dishes/ but these are user-created runtime paths, not skill-bundled files. This is borderline misleading but acceptable as the skill is designed to create user-specific files on first run. `User profile at meals/profile.yaml (see references/profile-template.yaml)` → Clarify that meals/profile.yaml is a user-created file, not included in the skill bundle.	`SKILL.md:11`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md reads meals/profile.yaml, meals/history.yaml; references/profile-templa…
Network	`READ`	`READ`	✓ Aligned	curl downloads dish images from free sources; Feishu API calls documented in ref…
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md line 62: curl -sL downloads images to workspace/tmp/dishes/ — declared …
Environment	`NONE`	`NONE`	—	No environment variable access found; credentials sourced from ~/.openclaw/openc…
Skill Invoke	`READ`	`READ`	✓ Aligned	SKILL.md line 35: mcporter call 'xiaohongshu.search_feeds(...)' — declares depen…
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No database access detected

6 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

references/feishu-doc-recipe.md:8

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/docx/v1/documents

references/feishu-doc-recipe.md:18

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/drive/v1/permissions/

references/feishu-doc-recipe.md:29

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/drive/v1/medias/upload_all

references/feishu-doc-recipe.md:70

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/docx/v1/documents/

references/feishu-doc-recipe.md:84

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/drive/v1/files/

references/feishu-doc-recipe.md:95

File Tree

3 files · 10.4 KB · 344 lines

Markdown 2f · 240L YAML 1f · 104L

├─ ▾ 📁 references

│ ├─ 📝 feishu-doc-recipe.md Markdown 113L · 3.6 KB

│ └─ 📋 profile-template.yaml YAML 104L · 1.9 KB

└─ 📝 SKILL.md Markdown 127L · 4.9 KB

Security Positives

✓ No executable code (scripts, Python, JavaScript) — purely documentation

✓ All network calls are to documented Feishu API endpoints (open.feishu.cn)

✓ Image downloads use curl with explicit timeout flags (--connect-timeout 10 --max-time 20) — bounded execution

✓ Credential access (Feishu app_id/secret) is declared and reads from a standard config file (~/.openclaw/openclaw.json)

✓ Xiaohongshu search is delegated to the agent-reach skill, not implemented directly

✓ No credential harvesting, data exfiltration, base64 encoding, or obfuscation observed

✓ All file system access (profile.yaml, history.yaml) is declared and scoped to user data files

✓ SKILL.md clearly documents prerequisites, workflow steps, and file references

Scan Report

Findings 1 items

File Tree

Security Positives