Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Wow Daily News
v1.0.1每日日报自动生成。每天 18:00 自动生成包含魔兽世界新闻、NGA 热帖、今日美图的飞书文档,并推送到飞书和微信。
⭐ 0· 78·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a multi-step pipeline (collectors, NGA detail scraping, Xiaohongshu beauty fetcher, Feishu/WeChat push). The package only includes one script (scripts/wow_daily_news.py) that implements EXWIND news scraping and local markdown output. The runtime instructions call many other scripts/paths (e.g. ~/.openclaw/workspace/scripts/daily_report_generator.py, ~/.openclaw/workspace/skills/daily-beauty/daily_beauty.py) and expect local services/binaries that are not included. That discrepancy indicates the bundle is incomplete or misdescribed.
Instruction Scope
SKILL.md instructs the agent to run many shell commands: curl to localhost:18060 and possibly nohup to start ~/xiaohongshu-mcp, agent-browser to open pages and take snapshots, read/write many files under ~/.openclaw/workspace and /tmp, and send messages to specific Feishu/WeChat targets. These steps reference local binaries/services and data files outside the shipped files. The instructions also require copying image files to /tmp and use platform-specific helper commands (feishu_create_doc, feishu_doc_media, message action=send) — none of which are defined or included. Running the instructed commands could start arbitrary binaries in the user's home or interact with system services.
Install Mechanism
There is no install spec (instruction-only). That lowers the risk of remote code being fetched during install, but the runtime relies on an existing environment with many scripts/binaries and system services. The absence of an install step means the skill assumes pre-existing local components (which are not shipped) — a design mismatch that can cause silent failures or unexpected behavior if the environment contains different binaries.
Credentials
The skill declares no required environment variables or credentials, yet the instructions embed hardcoded push targets (Feishu ou_2f7b6746..., a WeChat account ID) and call helper commands that must have credentials configured elsewhere (feishu_create_doc, feishu_doc_media, message action=send). The pipeline also expects writable access to many config/data paths under the user's home and to start binaries (~/xiaohongshu-mcp). Requiring broad filesystem and service access without clear credential configuration is disproportionate and surprising to an installer.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It does instruct starting a user-level binary (nohup ~/xiaohongshu-mcp) and assumes systemd-managed Xvfb, but it does not modify other skills' configs or claim permanent inclusion.
What to consider before installing
Do not install or run this skill unless you understand and control the target environment. Issues to consider before proceeding: 1) Incoherent bundle: the SKILL.md refers to many scripts, data files, and a local MCP service that are not included. The shipped script only fetches EXWIND news — it does not implement the full pipeline. 2) Runtime commands will run shell commands (nohup, curl) that can start arbitrary binaries in ~/xiaohongshu-mcp or other paths; verify those binaries yourself. 3) The skill hardcodes Feishu and WeChat target IDs and relies on helper commands that must have credentials configured elsewhere — confirm these behaviors are acceptable and inspect how feishu_create_doc / message are implemented in your agent runtime. 4) If you want to test, run in an isolated/sandboxed environment and inspect or stub the referenced scripts/services first. Prefer requesting the author to provide the missing scripts, or a clear README explaining required local services and what credentials are needed. If you can't verify the missing components and recipients, treat this skill as risky.Like a lobster shell, security has layers — review code before you run it.
latestvk972vc3x48e4yd9ed9g74jsp1h83z2g5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.