Daily Weather News
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: daily-weather-news Version: 1.0.0 The skill bundle contains hardcoded sensitive information, including a Tavily API key and a specific Feishu (Lark) user ID (ou_3a0705a4c7b5f068fff0b2b719d37978) across multiple files like config/config.sh and SKILL.md. It also uses hardcoded absolute file paths tied to a specific user environment (/home/alanchan/), which is a significant portability and security risk. While the script's logic for fetching weather and news appears functional, the default configuration would result in data being sent to the author's hardcoded Feishu ID, and the exposed API key could be abused or used for tracking.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone could abuse the bundled API key, and users may accidentally run searches under another party’s credential or expose their own key if they copy the pattern.
A real-looking Tavily API key is embedded directly in an executable script, and similar key material appears in the setup documentation. This is credential exposure and encourages shared credential use.
export TAVILY_API_KEY="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"
Remove the bundled key, rotate it if it is real, use only user-provided environment variables, and declare TAVILY_API_KEY as a required credential/env var in metadata.
If run without changing the config, the skill may send weather/news messages to the packaged Feishu user ID instead of the installer’s intended recipient.
The default Feishu recipient is a specific bundled user ID. Since the script sends Feishu messages to the configured target, installers need to replace this before normal use.
TARGET_USER="ou_3a0705a4c7b5f068fff0b2b719d37978"
Require users to configure their own Feishu target before sending, and avoid shipping personal/default recipient IDs in public skill packages.
The actual search behavior depends on another local skill/script, so safety and reliability also depend on that external component.
The skill executes a helper script from a separate tavily-search skill path that is not included in this artifact set. This is purpose-aligned for news search, but users should verify that external dependency.
news_result=$(node ~/.openclaw/workspace/skills/tavily-search/scripts/search.mjs "site:news.cn 今日国际 OR site:xinhuanet.com 今日要闻 OR site:people.com.cn 国际新闻 $(date +%Y-%m-%d)" -n 10 --topic news --days 1)
Document and declare the dependency explicitly, pin or verify the helper source where possible, and ensure users install a trusted tavily-search skill.
If the cron job is installed, the skill will keep making API calls and attempting Feishu sends every day.
The skill documents a cron entry for daily automatic execution. Scheduled execution is expected for a daily push skill, but it creates persistence until the user removes the cron job.
30 7 * * * /home/alanchan/.openclaw/workspace/skills/daily-weather-news/scripts/daily_push.sh
Only add the cron job intentionally, use a user-specific path, and document how to disable or remove the scheduled task.