每日有趣内容
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: daily-fun-content Version: 1.0.0 The skill uses `execSync` in `scripts/generate.mjs` to execute shell commands for web searching via `mcporter`, which represents a potential shell injection vulnerability. It also requests the configuration of a persistent cron job and performs automated web searches and file system writes. While these behaviors are aligned with the stated purpose of a daily content generator, the reliance on shell execution for tool interaction is a high-risk pattern.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the generator executes the local mcporter command; if that local command is untrusted or replaced, it could do more than just search.
The generator invokes a local shell command. In this artifact the queries are fixed by the script and the behavior is disclosed, so this is purpose-aligned but still worth reviewing.
const { execSync } = await import('child_process'); const command = `mcporter call glm-search.webSearchPrime search_query="${query}"`; const result = execSync(command, {Install only if you trust the local Node.js and mcporter/search setup. Prefer a safer argument-passing API such as execFile if the query ever becomes user-controlled.
The skill's behavior depends partly on whatever external search tool and Node runtime are available on the user's machine.
The skill depends on external runtime/search tooling that is not packaged or pinned in the artifact set.
- 需要网络搜索能力(可用 `perplexity` skill 或 `glm-web-search` skill) - Node.js 18+
Verify that Node.js and the search provider/CLI are installed from trusted sources and match what you expect before enabling scheduled runs.
If enabled, the skill will run on a schedule and may generate/share content without a fresh manual prompt each time.
The documentation instructs the user to create a recurring cron task, which is persistent background agent behavior.
每天早上 6:00 自动生成: openclaw cron add --name "Daily Fun Content Generator" --cron "0 6 * * *"
Only add the cron/heartbeat entries if you want recurring behavior, and remove those entries if the periodic content becomes unwanted.
Low-quality, offensive, or instruction-like text from search results could be saved and later repeated as fun content, though the skill does not tell the agent to obey it.
Text retrieved from web search is persisted into a cache and later reused by the skill.
const jokesResult = await searchWeb(jokesQuery); ... items.push({ type: 'joke', content: joke.trim() }); ... fs.writeFileSync(cacheFile, JSON.stringify(cache, null, 2));Review the cache occasionally or add filtering if you use this in sensitive contexts; treat cached web snippets as untrusted content to quote/share, not instructions.