Daily News Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill’s news-fetching, voice broadcast, and optional scheduling behavior matches its stated purpose, but users should understand it uses API credentials, posts to Feishu, and can run on a cron schedule.
This appears purpose-aligned, but before installing you should review the separate Feishu voice helper, use restricted API credentials, choose a safe Feishu target chat, and only add the cron job if you really want unattended daily broadcasts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the skill can use your Feishu app credentials and API keys to send broadcasts and call third-party services.
The skill requires service credentials and a Feishu chat ID so it can fetch news, generate voice, and send messages. This is purpose-aligned but gives the skill delegated account/API authority.
export FEISHU_APP_ID="cli_xxx" export FEISHU_APP_SECRET="xxx" export FEISHU_CHAT_ID="oc_xxx" export NOIZ_API_KEY="xxx" export TAVILY_API_KEY="tvly_xxx"
Use least-privilege Feishu app credentials, restrict the target chat, keep API keys out of shared files/logs, and rotate keys if they may have been exposed.
Voice delivery depends on external local code outside this review, and that code may receive the broadcast text and inherited environment variables.
The skill invokes a neighboring feishu-voice-skill script to perform voice sending, but that helper is not included in the reviewed files.
bash "$BASE_DIR/../feishu-voice-skill/scripts/send_voice.sh" -t "$text"
Install the Feishu voice helper only from a trusted source, review it separately, and ensure the sibling path cannot be replaced by untrusted code.
If you add the cron job, the skill will continue broadcasting on schedule until you remove or disable the cron entry.
The artifact provides cron examples that make the skill run repeatedly without manual confirmation after the user installs the cron entry.
0 8 * * * bash /root/.openclaw/workspace/skills/daily-news-skill/scripts/news_broadcast.sh >> /tmp/news_broadcast.log 2>&1
Only add the cron schedule if you want recurring automatic posts, monitor the log file, and remove the crontab entry when no longer needed.