Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Global Economy Daily
v1.0.0Automatically generate and send daily global economic insights reports with market data, geopolitical news, and outlooks via QQ or Feishu.
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose is to generate AND send reports to QQ/Feishu. The repository contains a report generator, but there is no working push implementation: the main script prints the report and has a commented TODO for sending (message call is commented out). The SKILL.md and scripts/config.py tell the user to configure push channels/targets, yet global_economy_daily.py defines its own CHANNEL/TARGET and does not import scripts/config.py — a clear mismatch. The template file referenced in SKILL.md (templates/report_template.md) is also absent from the manifest.
Instruction Scope
Runtime instructions ask the user to edit scripts/config.py and to install a macOS LaunchAgent to schedule pushes; however the executable script ignores that config file, so following the instructions will not produce the intended push behavior. The code only performs network requests to Yahoo Finance to fetch market data (expected). There is no instruction or code that reads unrelated system files or environment secrets.
Install Mechanism
No install spec or external downloads are present; this is instruction/code-only and uses only Python standard library (urllib). That minimizes supply-chain risk — nothing is auto-downloaded or executed outside the repository.
Credentials
The skill declares no required environment variables or credentials, but to actually send messages to QQ or Feishu it would need authentication (not declared). Additionally, a QQ target identifier (QQ_TARGET / TARGET) is hardcoded in scripts/config.py and in the main script — this is a privacy/operational concern because a default recipient is baked into the code. The fact that credentials are neither requested nor used is inconsistent with the stated push functionality.
Persistence & Privilege
The skill does not request persistent system privileges and is not set to always:true. SKILL.md suggests creating a user LaunchAgent to schedule the script — that is a user action (normal). The skill does not attempt to modify other skills or system-wide settings on its own.
What to consider before installing
Key things to consider before installing or running this skill:
- The code generates a report but does NOT actually send it; the message-sending call is commented out. If you expect automated pushes, ask the author or inspect/implement a safe message-sending path before enabling scheduling.
- The instructions tell you to edit scripts/config.py, but the main script doesn't import that file — confirm and fix this mismatch so you control the target and behavior.
- A QQ target identifier is hardcoded. Remove or replace it with your own target and ensure any push code requires explicit credentials (and doesn't leak data to unknown recipients).
- No credentials are requested; if you wire up push functionality you will need to supply auth tokens — prefer storing these in secure environment variables or platform secrets, not in plaintext config files.
- The SKILL.md references a templates/ file that is not present; verify completeness with the author.
- Run the script locally first (it currently only prints the report) and review network calls (only Yahoo Finance is used) before enabling any scheduled task. If you want help patching the code to use the config file and to require explicit, securely stored credentials for QQ/Feishu, ask for a code review or a safe implementation guide.Like a lobster shell, security has layers — review code before you run it.
latestvk97c9b6d1de5ve084rgqkj4g0s84ts7p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.