科技投资日报
WarnAudited by ClawScan on May 10, 2026.
Overview
The report-generation purpose is coherent, but the skill uses local Feishu app secrets and sends a PDF to a hard-coded Feishu user without declaring that credential access or recipient control.
Before installing, verify that you want this skill to use your Feishu app credentials, change or remove the hard-coded Feishu open_id, require confirmation before sending reports, and inspect the referenced PDF converter dependency.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill could allow it to use the user's configured Feishu app credentials to obtain a tenant token and send messages/files.
The skill instructs the agent to read Feishu app credentials from the local OpenClaw config, while the supplied metadata declares no primary credential, required env vars, or required config paths.
cfg = json.load(open("/root/.openclaw/openclaw.json"))["channels"]["feishu"]; app_id, app_secret = cfg["appId"], cfg["appSecret"]Declare the Feishu credential/config requirement clearly, use the platform's scoped credential mechanism if available, and require explicit user confirmation before using those credentials.
A generated PDF report could be sent from the user's Feishu workspace/app to an unintended fixed recipient.
The PDF attachment is sent through a raw Feishu API call to a hard-coded open_id rather than a user-selected or clearly confirmed recipient.
user_id = "ou_159cbb6a3791ff5a98f3a2a4b38e7d4c" ... requests.post("https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id", ... json={"receive_id": user_id, "msg_type": "file" ...})Replace the hard-coded recipient with a user-configured destination and ask for confirmation before sending files or messages.
PDF generation depends on external local code whose contents are not part of this review.
The workflow relies on another skill's converter script that is not included in this package or declared in the install metadata.
bash /root/.openclaw/workspace/skills/md2pdf-weasyprint/scripts/convert-weasyprint.sh /tmp/tech-invest-YYYYMMDD.md /tmp/tech-invest-YYYYMMDD.pdf
Declare the dependency explicitly, include or pin the converter provenance, and let users verify it before execution.
Users may place too much trust in automated buy/sell ranges, target prices, and stop-loss suggestions.
The report template requires concrete trading guidance while also disclaiming that it is investment advice.
**投资建议** 建仓区间:XX~XX | 目标价:XX | 止损:XX ... ⚠️ 以上内容仅供参考,不构成投资建议
Make the financial-risk disclaimer prominent and consider requiring the user to opt in before generating actionable trading recommendations.