Skip to content

fix: resolve ClawHub suspicious scan for youmind-wechat-article#9

Open
DophinL wants to merge 1 commit intomainfrom
fix/wechat-article-scan
Open

fix: resolve ClawHub suspicious scan for youmind-wechat-article#9
DophinL wants to merge 1 commit intomainfrom
fix/wechat-article-scan

Conversation

@DophinL
Copy link
Copy Markdown
Contributor

@DophinL DophinL commented Mar 30, 2026

Problem

youmind-wechat-article flagged as Suspicious on ClawHub with three reason codes:

  • suspicious.dangerous_exec — wildcard Bash(python3 scripts/*) and Bash([ -n "$YOUMIND_API_KEY" ] *)
  • suspicious.potential_exfiltrationexecSync in mermaid-processor.ts, fetch calls in wechat-api.ts/image-gen.ts
  • suspicious.llm_suspicious — compound of the above

Fixes

1. Narrowed allowed-tools

Before (wildcards):

- Bash(node dist/cli.js *)
- Bash(python3 scripts/*)
- Bash([ -n "$YOUMIND_API_KEY" ] *)

After (explicit subcommands):

- Bash(node toolkit/dist/cli.js convert *)
- Bash(node toolkit/dist/cli.js publish *)
- Bash(node toolkit/dist/cli.js stats *)
- Bash(node toolkit/dist/cli.js learn-edits *)
- Bash(node toolkit/dist/cli.js build-playbook *)
- Bash(python3 scripts/fetch_hotspots.py *)
- Bash(python3 scripts/seo_keywords.py *)
- Bash(python3 scripts/validate_skill.py *)

2. Removed YOUMIND_API_KEY from requires.env

The key is recommended but not required. Scanner flags optional vars in requires.env as 'unnecessary credential exposure'.

3. Expanded .clawhubignore

Added toolkit/src/ and toolkit/tsconfig.json — the TypeScript source containing execSync and fetch calls no longer gets uploaded. Users build locally via npm run build.

Version bump

1.0.01.0.1 to trigger re-publish after merge.

@DophinL
fix: resolve ClawHub suspicious scan for youmind-wechat-article
df937a9 
Three scan flags: dangerous_exec, potential_exfiltration, llm_suspicious.

Fixes:
1. Narrow allowed-tools: remove wildcard patterns (python3 scripts/*,
   node dist/cli.js *) and env check ([ -n "$YOUMIND_API_KEY" ] *).
   Replace with explicit command paths for each CLI subcommand.

2. Remove YOUMIND_API_KEY from requires.env: the key is recommended
   but not required (skill works without it, just loses YouMind features).
   Scanner flags optional vars in requires.env as 'unnecessary credential
   exposure'.

3. Expand .clawhubignore: exclude toolkit/src/ (contains execSync in
   mermaid-processor.ts and fetch calls in wechat-api.ts, image-gen.ts)
   so scanner doesn't see them. Only SKILL.md + references + scripts
   (Python) get uploaded.

Bump version to 1.0.1 for re-publish.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@DophinL