morning-radar
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it advertises—search Baidu for news and send a scheduled Feishu brief—but users should notice that it needs Baidu and Feishu credentials and can create a recurring push job.
Before installing, make sure you are comfortable giving the skill a Baidu API key and Feishu app credentials, use least-privilege Feishu permissions, verify the recipient Open ID, and only enable the cron schedule if you want automatic daily messages.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the Feishu app has broad permissions or the credentials are exposed, someone could potentially use them outside this skill.
The skill requires third-party API and app credentials. This is expected for Baidu search and Feishu message delivery, but these credentials can grant account-level access depending on how the Feishu app is configured.
export BAIDU_API_KEY="your-baidu-api-key" export FEISHU_APP_ID="your-feishu-app-id" export FEISHU_APP_SECRET="your-feishu-app-secret" export FEISHU_RECEIVER_OPEN_ID="your-open-id"
Use a dedicated Feishu app with only the permissions needed to send messages, store secrets securely, and avoid committing config.json with real credentials.
The skill may continue sending Feishu messages on a schedule after initial setup.
The documentation shows a user-directed scheduled task. This is aligned with a morning briefing tool, but it means the skill can keep running daily until the cron job is removed.
openclaw cron add --name "morning-radar" --schedule "0 7 * * *" --command "morning-radar"
Confirm the schedule and receiver before enabling cron, and remove the cron job when the briefings are no longer wanted.
A user relying only on registry metadata might not realize the skill needs Baidu and Feishu secrets until reading the skill documentation.
The registry-level metadata under-declares the credentials that SKILL.md and skill.json require. The skill files themselves disclose the credentials, so this is a metadata consistency issue rather than hidden behavior.
Required env vars: none Env var declarations: none Primary credential: none
Review SKILL.md and skill.json before installing, and the publisher should update registry metadata to declare the required credentials and network services.