jqzx-news-push
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its news-push purpose, but its setup instructions can reveal full API tokens and it installs a recurring background task.
Install only if you are comfortable giving it Machine Heart/Jiqizhixin, Get笔记, and Feishu-target access. Do not use the SKILL.md echo commands that print secret values; use masked checks instead. Verify the cron path and Feishu target before scheduling daily runs, and remove the cron entry when you no longer need the automation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Machine Heart/Jiqizhixin and Get笔记 credentials could be accidentally revealed to anyone who can see the session or logs.
These setup commands print full service tokens/API keys instead of only checking whether they are set, which can expose credentials in terminal output, agent transcripts, or logs.
echo "JI_ZHIXIN_TOKEN: $JI_ZHIXIN_TOKEN"; echo "GETNOTE_API_KEY: $GETNOTE_API_KEY"; echo "GETNOTE_CLIENT_ID: $GETNOTE_CLIENT_ID"
Do not run the echo-based credential check as written. Use a masked or presence-only check such as the included check-config.sh behavior, and rotate any token that was already exposed.
Running the skill can post content to the configured Feishu user/group and create notes in the configured Get笔记 account.
The script sends messages to Feishu and creates notes in Get笔记. These are third-party write actions, but they match the advertised news-push purpose.
openclaw message send --channel feishu --target "$FEISHU_TARGET" --message "$FULL_CONTENT" ... curl ... "https://openapi.biji.com/open/api/v1/resource/note/save"
Verify the Feishu target and Get笔记 account before running or scheduling the script.
The task may keep sending messages and saving notes every day until the cron entry is removed.
The skill documents a cron job that continues to run daily after setup. This persistence is disclosed and fits the daily-news purpose.
0 8 * * * /root/.openclaw/workspace/skills/daily-news-push/scripts/push-news.sh >> /tmp/daily-news.log 2>&1
Only add the cron job if you want ongoing automation, review `/tmp/daily-news.log`, and remove the crontab entry when you no longer want the push.
Setup may be confusing, and a copied cron path may not match the actual installed skill location.
Registry-level metadata does not fully match the files: package.json declares required env vars, and SKILL.md/_meta.json use the `daily-news-push` name/path. This is a coherence/provenance note rather than proof of malicious behavior.
Slug: jqzx-news-push; Required env vars: none; Source: unknown
Confirm the installed path and required credentials before creating the cron job.