crypto daily report
v1.0.0加密货币日报生成技能。当用户要求生成日报、出日报、发日报、加密新闻日报时激活。按固定板块结构采集数据、处理脱水、排版后分三条消息发送到 Telegram 加密新闻 Topic。
⭐ 0· 332·0 current·0 all-time
byblockpunk@blockpunk2077
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to assemble and send a Telegram Topic thread but declares no Telegram credential or mechanism for posting; it also relies on other services (OpenNews, RootData) that require tokens/keys but does not declare required environment variables. _meta.json lists external_skills (rootdata, opennews, opentwitter) which explains some cross-skill calls, but the skill still does not declare or request the Telegram bot token or RootData/OpenNews keys it uses at runtime.
Instruction Scope
SKILL.md instructs the agent to: fetch multiple sites, run included scripts, call a private OpenNews endpoint (using a token extracted from ~/.openclaw/.env), and post three messages to a hard-coded Telegram chat/thread. It also mandates 'silent execution' while some provided scripts (fetch_news.sh) echo progress messages and write to /tmp. The instructions explicitly read a local dotfile for OPENNEWS_TOKEN (grep ~/.openclaw/.env) even though no env var is declared — this is a cross-cutting scope concern because it directs reading local config/secrets not declared as required.
Install Mechanism
No install spec (instruction-only install), which is lower risk. However, the package includes runnable scripts (Python and bash) that will be executed at runtime; nothing is downloaded from untrusted URLs. Presence of scripts is expected for this task, but the absence of an install step means these scripts will run in the agent environment with whatever privileges the agent has.
Credentials
The skill declares no required env vars or primary credential, yet runtime steps access/expect secrets: OPENNEWS_TOKEN is read from ~/.openclaw/.env, and posting to Telegram implies a bot token or platform-level integration (not declared). RootData usage also requires a key per _meta.json. Requesting access to a local dotfile and relying on undeclared credentials is disproportionate and opaque.
Persistence & Privilege
always:false and user-invocable:true (defaults) — the skill does not request forced persistence or modify other skills' configs. It does assume the agent can autonomously run scripts and network calls, which is normal, but this is not combined with an elevated 'always' privilege.
What to consider before installing
Do not install blindly. The skill will attempt to fetch public crypto data (Binance, DeFiLlama, GeckoTerminal, news sites) which is coherent, but it also instructs the agent to read a local dotfile (~/.openclaw/.env) for an OPENNEWS_TOKEN and to post three messages to a hard-coded Telegram chat without declaring a Telegram bot token. Before installing, ask the author to: (1) explicitly list required credentials (TELEGRAM_BOT_TOKEN or platform posting method, OPENNEWS_TOKEN, RootData key) in requires.env; (2) avoid reading arbitrary local files and instead use explicit env vars; (3) remove or make optional console progress output so the 'silent execution' requirement can be met; (4) explain how Telegram posting is implemented and where the bot token will be stored; (5) confirm and document the dependency on the rootdata/opennews/opentwitter external skills and whether those require additional credentials. If you must run it, do so in an isolated agent environment and verify that no undeclared secrets are accessible to the agent (e.g., remove or protect ~/.openclaw/.env).Like a lobster shell, security has layers — review code before you run it.
latestvk97eet15d5p1w4m33cvax8spbd82326d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.