Data Ai Daily Brief Skill
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned daily briefing skill, but its optional delivery features can send reports to third-party services or publish them publicly using user-provided credentials.
Before installing, verify the source, keep all delivery credentials scoped and private, leave unused channels disabled, and review each brief before publishing it to team channels or GitHub Pages.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It may be harder to verify who maintains the skill or where updates come from.
The package provenance is not clearly declared, which matters because the skill includes helper scripts that can use service credentials. No remote installer or hidden dependency is shown.
Source: unknown; Homepage: none
Inspect the included scripts and prefer installing from a trusted source before configuring credentials.
If enabled, a generated brief could become publicly accessible and the script can modify a GitHub repository.
The optional GitHub Pages delivery path can create a public repository and upload the generated report. This is disclosed and purpose-aligned, but it is a high-impact account/public-publishing action.
"public": True ... api_request("POST", f"{API_BASE}/user/repos" ... api_request("PUT", file_url, upload_data, token=token)Use a dedicated repository and least-privilege token, and review the report before enabling GitHub Pages publishing.
Leaked or over-scoped credentials could let others post to your channels, send email, or modify the configured GitHub target.
The skill documents optional credentials for delivery channels. These credentials are expected for the stated purpose, but they can authorize posting, emailing, bot messaging, or GitHub publishing.
`SMTP_PASSWORD` | SMTP password ... `GITHUB_TOKEN` | GitHub Personal Access Token ... `SLACK_WEBHOOK_URL` ... `TELEGRAM_BOT_TOKEN`
Keep credentials in environment variables or a protected config, disable unused channels, and use narrow/dedicated tokens where possible.
Any information included in the brief may be shared with the configured chat service or recipients.
The delivery script sends generated report content to a configured webhook. This matches the delivery feature, but it means report content leaves the local environment.
payload = {"msgtype": "markdown", "markdown": {"title": title, "text": content}} ... urllib.request.urlopen(req)Only configure trusted channels and avoid including confidential internal information unless the destination is approved.
If a platform honors this schedule, reports could be generated and delivered automatically on weekdays.
The generated default config includes a weekday schedule for recurring reports. The artifacts do not show silent cron installation, so this is an expected automation option rather than rogue persistence.
"cron": [{ "name": "Data+AI 全球日报", "schedule": "0 8 * * 1-5", "timezone": "Asia/Shanghai"Enable scheduled delivery only when intended and verify the target channels before turning on automation.