Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
daily-every
v1.0.2每天早上生成简报:上海天气 + V2EX 热帖前 5 条。 Use when: 用户说"生成今日简报",或 cron 在早上 8 点触发。 NOT for: 详细的天气预报或深度新闻分析。
⭐ 0· 60·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name and description (daily Shanghai weather + top 5 V2EX hot topics) match the SKILL.md workflow: two curl calls and formatting. However, the SKILL.md's end goal is to 'push Telegram' even though the skill declares no credentials or environment requirements to perform that push. That omission is a mismatch between claimed capability and declared requirements.
Instruction Scope
Instructions explicitly run curl against wttr.in and V2EX API (expected and scoped). They also say to '推送 Telegram' but provide no concrete API endpoint, header format, or required tokens; they therefore implicitly require access to Telegram credentials (bot token, chat_id) that are neither declared nor explained. The instructions do not ask to read unrelated files or system secrets, but the Telegram step implies use/transmission of credentials that are not specified.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest-risk footprint. It relies on curl being available at runtime (curl calls are in the instructions); the manifest does not declare it as required, which is a minor mismatch but not high risk.
Credentials
The skill declares no required environment variables or credentials, yet the SKILL.md requires pushing messages to Telegram. Sending to Telegram would normally require at least TELEGRAM_BOT_TOKEN and a chat identifier (chat_id). The absence of declared env vars/primary credential is disproportionate and unclear.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; autonomous invocation is allowed (platform default). It does not request any system-wide config changes or persistent privileges. Cron triggering is mentioned but cron setup is external to the skill.
What to consider before installing
This skill mostly does what it says: it fetches Shanghai weather and the V2EX hot list and formats a short briefing. However, the SKILL.md says to 'push Telegram' but the skill manifest does not declare any Telegram credentials (bot token / chat_id) or explain how messages will be delivered. Before installing or enabling this skill, ask the author to: (1) explicitly declare required environment variables (e.g., TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID) and how they are stored; (2) document the exact POST/curl call used to send Telegram messages so you can audit it; (3) confirm whether curl is required on the runtime host (or add it to requires.binaries); and (4) if you will allow autonomous runs via cron, ensure the bot token has minimal scope and rotate tokens if shared. If these clarifications are not provided, treat the skill as untrusted because it will need credentials to send messages but gives no guidance about how they are handled.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7v5y6xjjggecc90qhq6pm583r439
License
MIT-0
Free to use, modify, and redistribute. No attribution required.