Daily Weather News
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s weather/news push behavior is mostly coherent, but it ships a real-looking Tavily API key and default Feishu recipient that users must not blindly reuse.
Before installing or running this skill, remove the bundled Tavily key, set your own TAVILY_API_KEY securely, replace the Feishu TARGET_USER with your intended recipient, verify the external tavily-search helper, and only add the cron job if you really want daily automatic messages.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone could abuse the bundled API key, and users may accidentally run searches under another party’s credential or expose their own key if they copy the pattern.
A real-looking Tavily API key is embedded directly in an executable script, and similar key material appears in the setup documentation. This is credential exposure and encourages shared credential use.
export TAVILY_API_KEY="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"
Remove the bundled key, rotate it if it is real, use only user-provided environment variables, and declare TAVILY_API_KEY as a required credential/env var in metadata.
If run without changing the config, the skill may send weather/news messages to the packaged Feishu user ID instead of the installer’s intended recipient.
The default Feishu recipient is a specific bundled user ID. Since the script sends Feishu messages to the configured target, installers need to replace this before normal use.
TARGET_USER="ou_3a0705a4c7b5f068fff0b2b719d37978"
Require users to configure their own Feishu target before sending, and avoid shipping personal/default recipient IDs in public skill packages.
The actual search behavior depends on another local skill/script, so safety and reliability also depend on that external component.
The skill executes a helper script from a separate tavily-search skill path that is not included in this artifact set. This is purpose-aligned for news search, but users should verify that external dependency.
news_result=$(node ~/.openclaw/workspace/skills/tavily-search/scripts/search.mjs "site:news.cn 今日国际 OR site:xinhuanet.com 今日要闻 OR site:people.com.cn 国际新闻 $(date +%Y-%m-%d)" -n 10 --topic news --days 1)
Document and declare the dependency explicitly, pin or verify the helper source where possible, and ensure users install a trusted tavily-search skill.
If the cron job is installed, the skill will keep making API calls and attempting Feishu sends every day.
The skill documents a cron entry for daily automatic execution. Scheduled execution is expected for a daily push skill, but it creates persistence until the user removes the cron job.
30 7 * * * /home/alanchan/.openclaw/workspace/skills/daily-weather-news/scripts/daily_push.sh
Only add the cron job intentionally, use a user-specific path, and document how to disable or remove the scheduled task.