科技日报
PassAudited by ClawScan on May 11, 2026.
Overview
This skill is a mostly coherent daily tech-news brief generator, with expected scheduled fetching and optional Feishu posting that users should configure deliberately.
This appears suitable for generating a scheduled public tech-news digest. Before using it, decide whether you want the cron job enabled, set a trusted Feishu webhook only if you want external posting, and treat the briefings as automatically generated summaries rather than verified reporting.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If modified or misused, shell-based fetching could execute unintended commands, though the included command is currently fixed and purpose-aligned.
The skill uses shell execution to run curl. The command is fixed to a public GitHub API endpoint and is aligned with fetching news data, but shell execution is a sensitive mechanism.
const output = execSync(cmd, { encoding: 'utf8' });Keep the command fixed or replace shell curl with a safer HTTP client; review any future changes that add user input to shell commands.
The skill may generate reports every morning if the cron configuration is installed or honored.
The artifacts include enabled daily scheduled execution. This is expected for a daily briefing skill, but it means the skill can keep running after initial setup.
"schedule": "0 8 * * *", "command": "cd /home/node/.openclaw/workspace && python skills/tech-news-daily/tech-news-daily.py", "enabled": true
Enable the cron entry only if you want unattended daily runs, and disable or remove it when no longer needed.
Anyone with that webhook can post messages to the associated Feishu destination; the skill does not send if the variable is unset.
The skill can use a Feishu webhook URL, which functions like a credential for posting into a configured Feishu chat.
FEISHU_WEBHOOK = os.getenv("FEISHU_WEBHOOK_URL", "")Use a dedicated Feishu webhook, keep it private, and rotate it if it is exposed.
The generated briefing and report fields will leave the local environment and be posted to the configured Feishu chat.
Generated report content is sent to an external Feishu webhook when configured. This is purpose-aligned, but it is still an outbound data flow.
requests.post(
FEISHU_WEBHOOK,
json=payload,
timeout=10
)Verify the webhook destination and report content before enabling automatic posting.
Users may over-trust the accuracy or verification level of the generated news brief.
The generated footer claims all sources are verified, while the implementation mainly fetches GitHub data and does not show a source-verification process.
*注:所有来源均已核验*
Treat generated news as a draft summary and independently verify important claims or links.