Daily Briefing

This skill mostly does what it says (weather, traffic rules, scrape/organize news), but review before installing: - Network access & external fetches: Scripts use curl (via execSync) to fetch wttr.in and multiple news sites. Expect outbound HTTP(S) traffic when running the skill. - Shell command risk: The code builds shell commands with string interpolation (execSync + curl). If untrusted inputs are passed (for example a crafted city string), that could allow shell injection. Prefer running in a sandbox or only with trusted inputs; consider patching the code to URL-encode inputs or to use a safe HTTP client (undici/fetch) instead of shelling out. - Undeclared dependency: news-search.mjs imports 'kimi-search' but package.json does not list it. Either the platform must provide this tool, or the module will fail. Confirm the runtime environment supplies kimi_search or add the dependency. - Path assumptions / cross-skill examples: README/cron examples reference /root/.openclaw and another skill's sendEmail script. Those are examples — they assume other skills and elevated path access. Do not copy these cron/email commands into production without verifying your environment and permissions. - Mitigations before use: run npm install in a controlled environment, inspect and (if needed) sanitize any inputs passed to the scripts, run the skill in a restricted container or VM, and verify or add the missing kimi-search dependency or adapt news-search to use the included news-collector which already scrapes known sites. If you want, I can (a) point out exact lines that do shell interpolation, (b) suggest safe code changes to remove shell usage, or (c) prepare a checklist to harden this skill before enabling it in a production agent.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.