科技投资日报
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The report workflow is coherent, but the skill uses local Feishu app credentials and raw API execution to send a PDF to a hard-coded Feishu recipient without declaring or scoping that access.
Before installing, verify and change the Feishu recipient, confirm the skill is allowed to use your Feishu app credentials, and review the PDF tooling dependency. Treat the generated trading guidance as informational rather than financial advice.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked or scheduled, the skill may send files/messages through the user's Feishu app without an obvious recipient review step.
The skill tells the agent to use raw exec with direct Feishu API calls for an account action, rather than a clearly scoped messaging tool or a user-confirmed send workflow.
“步骤2:上传并发送,用 exec 执行以下 Python 脚本” ... requests.post("https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id", ...)Use a scoped Feishu/message tool where possible, require explicit recipient confirmation, and avoid raw exec for account actions unless the user has reviewed the exact script.
The skill can act through the user's Feishu tenant/app credentials and may deliver the report to a recipient the user did not configure.
This reads local Feishu app credentials and sends to a hard-coded Feishu open_id, while the registry metadata declares no required credentials or config paths.
cfg = json.load(open("/root/.openclaw/openclaw.json"))["channels"]["feishu"]; app_id, app_secret = cfg["appId"], cfg["appSecret"]; user_id = "ou_159cbb6a3791ff5a98f3a2a4b38e7d4c"Declare the required Feishu credential/config path, make the recipient configurable, remove hard-coded open_ids, and document the minimum Feishu permissions needed.
The PDF step may fail or may run code from an unreviewed external skill installation.
The instructions depend on a converter script from another skill path that is not included in this skill's manifest or declared in the install requirements.
bash /root/.openclaw/workspace/skills/md2pdf-weasyprint/scripts/convert-weasyprint.sh /tmp/tech-invest-YYYYMMDD.md /tmp/tech-invest-YYYYMMDD.pdf
Declare and pin the PDF dependency, or use the included PDF conversion script with clearly listed Python/package requirements.