Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Finance Pro
v1.0.0每日财经推送专家版。当用户说"今日财经"、"财经日报"、"每日金融推送"、"设置财经推送"、"取消财经推送"时触发。特色:浓精简(3条精华)、市场情绪指标( bearish/bullish/neutral)、定时推送飞书。比 daily-finance 更精炼,比 daily-trending 更专业。
⭐ 0· 54·1 current·1 all-time
by@foxxc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to gather multi-platform finance hotlists and push scheduled summaries to Feishu. The SKILL.md uses openclaw cron commands to schedule pushes to a 'feishu' channel, which is consistent if the platform already manages Feishu integration. However, the skill does not declare or request any Feishu credentials, webhooks, or API tokens, nor does it explain where channel configuration is stored. That gap is explainable if the platform provides channel wiring, but the skill should document that assumption.
Instruction Scope
Instructions tell the agent to '抓取多平台热榜' and list source paths, but they do not include concrete steps, commands, or code for fetching/parsing those sources. The cron scheduling examples rely on openclaw CLI behavior but do not show what job payload/run action will actually assemble the summarized content. This is vague and grants the agent broad discretion to perform web scraping or HTTP requests without explicit boundaries or error/ratelimiting guidance.
Install Mechanism
Instruction-only skill with no install spec or code files. Nothing is downloaded or written to disk by the skill itself, which minimizes install surface risk.
Credentials
No environment variables, credentials, or config paths are declared. This is low-privilege on its face, but since the skill instructs pushing to Feishu, the absence of any Feishu credential requirement is notable. It may rely on platform-managed channels (acceptable) — confirm whether a Feishu channel / tokens are pre-configured by the host environment.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It uses platform cron commands to schedule jobs, which is expected for a push/scheduler feature; this is normal and not elevated privilege by itself.
What to consider before installing
Before installing or enabling this skill, verify the following: 1) Is your OpenClaw host/platform already configured with a 'feishu' channel or Feishu credentials? If not, the cron commands will not be able to deliver messages. 2) Ask the author or maintainer what the scheduled job actually runs: the SKILL.md shows how to schedule a cron entry but does not include the command or script that fetches and summarizes the listed sources. Confirm whether the agent will perform web requests/scraping (and whether rate limits or login/auth are required). 3) Request documentation for privacy/security: where are any service tokens or webhooks stored, who can view scheduled messages, and can you preview the exact message content before it is sent? 4) If you need stronger assurance, ask for a concrete implementation or example of the cron job payload (the code or commands run at schedule) and a list of external endpoints the skill will contact. If these clarifications are provided and Feishu channel wiring is confirmed, the skill appears coherent; without them, it's risky because of the operational vagueness around data fetching and message delivery.Like a lobster shell, security has layers — review code before you run it.
chinavk97dwr0esvnm9nec61vmwtbmkn83hjabdailyvk97dwr0esvnm9nec61vmwtbmkn83hjabfinancevk97dwr0esvnm9nec61vmwtbmkn83hjablatestvk97dwr0esvnm9nec61vmwtbmkn83hjabmarketvk97dwr0esvnm9nec61vmwtbmkn83hjabnewsvk97dwr0esvnm9nec61vmwtbmkn83hjabprovk97dwr0esvnm9nec61vmwtbmkn83hjab
License
MIT-0
Free to use, modify, and redistribute. No attribution required.