daily-sales-digest
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches a sales-reporting use case, but it needs review because it can produce mock sales numbers, expose commerce credentials, and auto-send reports through risky Discord/shell handling.
Install only if you are comfortable editing and reviewing the scripts. Replace all Discord/email targets with your own verified destinations, do not print the full credential config, use read-only API keys, and keep cron delivery disabled until real API collection replaces the current mock data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users could receive scheduled reports that look like real sales summaries but are based on random mock data.
The collector currently writes random mock revenue when a source is enabled, despite the skill being presented as a sales API integration and digest tool.
// TODO: 실제 네이버 API 호출 구현 // 현재는 mock 데이터 반환 const mockRevenue = Math.floor(Math.random() * 2000000) + 500000;
Do not enable cron delivery for business use until real API collection is implemented, and label any test output clearly as mock data.
Commerce API keys or other secrets could be displayed to the agent, logs, or anyone viewing the session.
The same config file is intended to contain API secrets, but troubleshooting tells users to print the full file, which can expose credentials in terminal logs or agent context.
"clientSecret": "YOUR_CLIENT_SECRET" ... "secretKey": "YOUR_SECRET_KEY" ... cat ~/.openclaw/workspace/config/daily-sales-digest.json
Avoid printing the full config; use redacted checks or commands that only show non-secret fields, and store least-privilege read-only API keys.
If the config or stored sales data is poisoned, an automatic alert/report run could execute unintended local shell commands under the user's account.
The script sends Discord messages by interpolating config/report content into a shell command; escaping only quotes does not prevent shell command substitution or other shell metacharacter issues.
execSync(`openclaw message send --channel discord --target "${channelId}" --message "${message.replace(...)}"`, { stdio: 'inherit' });Use execFileSync/spawn with an argument array or a scoped messaging API, validate channel IDs, and avoid passing report text through a shell.
A user who copies the example or trusts the prefilled ID could send sensitive sales summaries to the wrong Discord target.
The reusable configuration template references a specific Discord DM/channel ID for report delivery, making the destination identity unclear.
"description": "Discord 채널 ID (형님 DM: 1468204132920725535)"
Remove personal channel IDs from templates and require users to explicitly enter and verify their own delivery destinations.
Reports and alerts may continue running and sending data after initial setup until the cron jobs are paused or deleted.
The skill documents persistent scheduled jobs that automatically generate and deliver reports; this is expected for the stated purpose but should be user-controlled.
openclaw cron add --name "daily-sales-digest:daily" --schedule "0 8 * * *" --command "node /Users/mupeng/.openclaw/workspace/skills/daily-sales-digest/scripts/digest.js --date yesterday --deliver discord"
Add cron jobs only after testing, review them with `openclaw cron list`, and delete or pause any job that is no longer needed.