ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Morning Brief · 每日AI早报

v1.0.0

每日AI早报。抓取多路信源(HuggingFace Blog、人人都是产品经理、blogwatcher订阅、36氪/知乎/Reddit/Twitter工具网关),LLM智能筛选最有价值的10条,推送到Telegram。内置OpenRouter榜单快照。使用场景:每天定时生成个性化AI资讯早报,过滤低信噪比内容,突...

0· 91·0 current·0 all-time
bysetC_brian@min870809

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for min870809/ai-morning-brief.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Morning Brief · 每日AI早报" (min870809/ai-morning-brief) from ClawHub.
Skill page: https://clawhub.ai/min870809/ai-morning-brief
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: API_HUB_BASE_URL, API_HUB_KEY
Required binaries: python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ai-morning-brief

ClawHub CLI

Package manager switcher

npx clawhub@latest install ai-morning-brief
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to aggregate AI news and push to Telegram, which matches the script, but the declared required env vars (API_HUB_BASE_URL, API_HUB_KEY) do not map to any meaningful use in the provided Python script. Conversely, the script actually uses TELEGRAM_TOKEN/TELEGRAM_CHAT_ID and CLAWDCHAT_API_KEY (for clawdchat.cn) — these are not declared as required. This is an incoherence between claimed requirements and actual runtime needs.
!
Instruction Scope
The SKILL.md instructs the user to export API_HUB_BASE_URL/API_HUB_KEY and to edit the script to place Telegram token and chat id in plaintext. The runtime script expects and reads a cached OpenRouter JSON file (~/.openclaw/workspace/data/openrouter-top-apps.json), calls local binaries (blogwatcher) via subprocess, fetches RSS feeds, and posts to an external gateway (https://clawdchat.cn). Instructions and code are generally within the 'news aggregator -> Telegram' scope, but the mismatches in which credentials are required and the use of an external tool gateway expand the trust surface and are not properly documented in the declared requires.env.
Install Mechanism
No install spec is provided (instruction-only with one script file). That lowers install risk because nothing arbitrary is downloaded/installed by the skill itself. The script does call external CLIs (blogwatcher, firecrawl per docs) but those are optional dependencies described in SKILL.md.
!
Credentials
The declared required env vars (API_HUB_BASE_URL, API_HUB_KEY) appear unnecessary given the script contents. Meanwhile the script uses CLAWDCHAT_API_KEY and TELEGRAM_* envs (or instructs embedding tokens in the script), which were not listed as required. Asking for or documenting the wrong credentials is a red flag — it could lead users to provide secrets that the skill doesn't need, or hide the fact that an external gateway (clawdchat.cn) needs a key. The script sends requests to clawdchat.cn using CLAWDCHAT_API_KEY; trust in that third-party service is required.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configuration. It reads a cache file in the user's home (~/.openclaw/workspace/data/openrouter-top-apps.json) and runs local CLIs; those are reasonable for its purpose. No elevated/system-wide privileges are requested.
What to consider before installing
Things to consider before installing: - Clarify the env vars: the SKILL.md/registry lists API_HUB_BASE_URL and API_HUB_KEY, but the shipped script does not use those; the script actually uses TELEGRAM_TOKEN / TELEGRAM_CHAT_ID (env names TELEGRAM_TOKEN and TELEGRAM_CHAT_ID) and CLAWDCHAT_API_KEY. Ask the author which credentials are truly required and why API_HUB_* are declared. - Review and trust the external gateway: the script posts to https://clawdchat.cn/api/v1/tools/call using CLAWDCHAT_API_KEY. That third-party will see requests and responses — only provide a key if you trust that service and its privacy/security practices. - Avoid embedding secrets in source: SKILL.md suggests editing the script to hardcode Telegram bot token and chat id. Prefer exporting TELEGRAM_TOKEN and TELEGRAM_CHAT_ID as environment variables or using a secure secrets store, not committing tokens into files. - Check optional tools before enabling cron: the skill invokes blogwatcher and suggests using firecrawl to fetch OpenRouter data; these CLIs run subprocesses and may access networks/files. Ensure you only enable integrations you want and that those CLIs are trusted. - Inspect network behavior locally: run the script in a controlled environment (no sensitive env vars present) and observe outgoing requests (which hosts are contacted) to confirm behavior matches expectations. - If you need the skill but are uncomfortable with clawdchat.cn, consider removing/rewriting call_clawdchat_tool or replacing it with direct RSS/API calls to trusted sources. - Ask the author to update SKILL.md and registry metadata so declared required env vars match actual runtime usage; mismatches are a legitimate reason to withhold sensitive credentials until clarified.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binspython3
EnvAPI_HUB_BASE_URL, API_HUB_KEY
aivk975akb1thysp29t8dr22h2a7s858qq8latestvk975akb1thysp29t8dr22h2a7s858qq8morning-briefvk975akb1thysp29t8dr22h2a7s858qq8newsvk975akb1thysp29t8dr22h2a7s858qq8rssvk975akb1thysp29t8dr22h2a7s858qq8telegramvk975akb1thysp29t8dr22h2a7s858qq8
91downloads
0stars
1versions
Updated 6d ago
v1.0.0
MIT-0
setC_brian@min870809
ailatestmorning-briefnewsrsstelegram
Download

每日AI早报 Morning Brief

每天抓取多路 AI 信源,LLM 筛选后推送到 Telegram。

信源覆盖

  • 直接 RSS:HuggingFace Blog、人人都是产品经理
  • blogwatcher:36氪、量子位、Product Hunt、RadarAI(需已配置 blogwatcher)
  • 工具网关:36氪热榜、InfoQ、知乎热榜、r/LocalLLaMA、Twitter/@xuezhiqian123
  • 榜单快照:OpenRouter Global Top Apps(需预先抓取缓存)

筛选逻辑

优先级从高到低:

  1. AI工具平台动态(OpenAI/Google/Meta/Anthropic 等头部进展;OpenClaw竞品更新/暴雷)
  2. AI Agent 新进展、普通人用 AI 变现案例
  3. 资本市场:融资/裁员/暴雷/政策
  4. 内容运营/流量变现:小红书/公众号新打法、闲鱼变现机会

竞品特别标注(优先入选):Hermes Agent、Cline、Roo Code、Agent Zero、Gobii

过滤掉:纯技术/学术论文、HuggingFace 官方自我宣传类内容(开源现状报告等)

快速开始

1. 配置环境变量

export API_HUB_BASE_URL=https://api.mulerun.com
export API_HUB_KEY=your_key_here

编辑脚本顶部,填入你的 Telegram Bot Token 和 Chat ID:

TELEGRAM_TOKEN = "your_bot_token"
CHAT_ID = "your_chat_id"
CLAWDCHAT_API_KEY = "your_clawdchat_key"  # 可选,用于工具网关

2. 手动运行

python3 ~/.openclaw/skills/morning-brief/scripts/morning-brief.py

3. 定时运行(推荐)

在 OpenClaw 中设置每日定时任务(9:40 AM):

每天早报任务,按以下步骤执行:

步骤1:用 firecrawl 抓取 https://openrouter.ai/apps,提取 Global Ranking 前20名保存到
~/.openclaw/workspace/data/openrouter-top-apps.json
格式:{"fetched_at": "ISO时间", "apps": [{"rank": 1, "name": "...", "tokens": "...", "trend": "..."}]}

步骤2:运行早报脚本
python3 ~/.openclaw/skills/morning-brief/scripts/morning-brief.py

步骤3:把早报正文通过 send_message 发到网页端

推荐 cron 时间:40 9 * * *(UTC+8 09:40)

定制过滤规则

过滤逻辑在脚本 llm_filter() 函数的 prompt 中,直接修改文字即可调整:

  • ⚡ 特别标注:添加你关注的竞品名称
  • ❌ 一律不选:添加要过滤的内容类型
  • ✅ 优先选:调整优先级规则

依赖

  • Python 3.8+(标准库,无需额外安装)
  • Telegram Bot(需自行申请 @BotFather)
  • ClawdChat API Key(可选,用于36氪/知乎/Reddit/Twitter工具网关)
  • blogwatcher(可选,用于订阅源管理)
  • firecrawl(可选,用于 OpenRouter 榜单抓取)

输出示例

⚡ 2026-04-21 Mon 早报

1. [Gemini 2.5 Pro 正式发布,编程能力大幅提升](https://...)
   _Google最新旗舰模型上线,对OpenClaw用户有直接影响_ `HuggingFace Blog`

2. [OpenRouter 榜单新入榜:Perplexity Deep Research...](https://...)
   ...

共 10 条 · 09:41 更新

Comments

Loading comments...