← Back to Skills Marketplace

Report Builder

Name: Report Builder
Author: omermesebuken1

by omermesebuken1 · GitHub ↗ · v0.1.0 · MIT-0

cross-platform ⚠ suspicious

131

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install report-builder

Description

Use when the main operator needs to turn the nightly shortlist into a Telegram morning report with inline approve/reject/later buttons.

Usage Guidance

Before installing or running this skill: (1) expect to provide a Notion API token, two Notion DB IDs (ideas and nightly runs), and a Telegram target—these are required though not declared; (2) review the included scripts carefully—build_report.mjs queries Notion and send_report.mjs spawns the local 'openclaw' binary and also runs a node script at an absolute path (/Users/dellymac/.openclaw/skills/notion-pipeline/scripts/factory_ops.mjs). That last behavior executes code outside the skill and could run arbitrary local logic—verify that target file (or change the code) before use; (3) verify the openclaw CLI behavior and ensure no unrelated secrets in your environment will be forwarded to child processes; (4) ask the publisher to update SKILL.md/registry metadata to list required env vars and to remove/justify calls to external absolute paths (or provide the referenced helper modules inside the bundle). If you cannot inspect or control the referenced local scripts, run this in a sandbox or decline the skill.

Capability Analysis

Type: OpenClaw Skill Name: report-builder Version: 0.1.0 The skill bundle is a standard automation tool designed to fetch data from Notion and send formatted reports to Telegram via the OpenClaw CLI. While it contains hardcoded absolute paths (e.g., `/Users/dellymac/...` in `build_report.mjs` and `send_report.mjs`) which limit portability, the logic is transparent and aligns with the stated purpose. There is no evidence of data exfiltration, malicious execution, or prompt injection; it uses standard Node.js APIs and official Notion endpoints.

Capability Assessment

⚠ Purpose & Capability

The skill's stated purpose is Notion -> Telegram reports, which would legitimately require Notion credentials/DB IDs and a Telegram target, but the registry metadata declares no required environment variables or primary credential. The code clearly expects OPENCLAW_NOTION_TOKEN, OPENCLAW_NOTION_DB_PROJECT_IDEAS, OPENCLAW_NOTION_DB_NIGHTLY_RUNS, and OPENCLAW_TELEGRAM_TARGET (among possible others). This mismatch between claimed requirements and actual needs is incoherent and surprising.

⚠ Instruction Scope

SKILL.md instructs running the included build and send scripts, which is expected, but those scripts: (1) call out to the Notion API and will fail unless tokens/DB IDs are present, (2) load local environment via an imported loadLocalEnv module, and (3) the sender executes (via node) an absolute path under /Users/dellymac/.openclaw/.../factory_ops.mjs to record deliveries. Running code outside the bundle and importing local helper modules expands scope beyond the described skill and may execute arbitrary local code.

ℹ Install Mechanism

No install spec (instruction-only) and included JS scripts—no network downloads or package installs are declared. That's lower install risk, but the bundle contains executable scripts that will run with the user's Node and rely on an external 'openclaw' binary.

⚠ Credentials

The scripts require sensitive environment variables (Notion bearer token and DB IDs, plus a Telegram target) but the registry declares none. The sender forwards process.env to spawned processes and invokes openclaw with that environment, which could expose unrelated secrets if present. The number and sensitivity of env variables is reasonable for the task, but failing to declare them is a proportionality/Transparency problem.

⚠ Persistence & Privilege

The skill is not flagged 'always' and does not request system-wide persistence; however it executes another local skill/script via an absolute path (factory_ops.mjs) and imports a local loadLocalEnv module. That cross-skill/local-code execution increases privilege surface because sending a report triggers execution of code outside this bundle, which is unexpected and potentially dangerous.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install report-builder
After installation, invoke the skill by name or use /report-builder
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

Initial publish

Metadata

Slug report-builder

Version 0.1.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Report Builder?

Use when the main operator needs to turn the nightly shortlist into a Telegram morning report with inline approve/reject/later buttons. It is an AI Agent Skill for Claude Code / OpenClaw, with 131 downloads so far.

How do I install Report Builder?

Run "/install report-builder" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Report Builder free?

Yes, Report Builder is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Report Builder support?

Report Builder is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Report Builder?

It is built and maintained by omermesebuken1 (@omermesebuken1); the current version is v0.1.0.

More Skills