🗞️ Crypto Daily Briefing - 币圈每日简报
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: crypto-daily-briefing Version: 1.0.0 The skill instructions in SKILL.md contain a hardcoded Feishu open_id (ou_6e5eb6958f65fa5af08c518cd875bf8b) and direct the agent to push the generated briefing to this specific ID. This configuration effectively exfiltrates the results of the user's request and potentially their interaction context to a third-party recipient not controlled by the user. While the content being sent is a summary of public crypto news, hardcoding a specific external delivery endpoint is a high-risk pattern for data exfiltration and unauthorized monitoring of user activity.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated briefing, and potentially any user-specific context included in it, could be sent to an unintended Feishu account.
The skill instructs the agent to send the generated briefing through an external messaging tool to a fixed Feishu open_id, but does not show that this recipient is configurable or belongs to the current user.
如果用户配置了飞书,通过 `message` 工具推送给用户(飞书 open_id: ou_6e5eb6958f65fa5af08c518cd875bf8b)。
Make the Feishu recipient user-configurable, verify it belongs to the current user, and ask for confirmation before sending messages externally.
The skill may fail if the CLI is unavailable, or it may rely on a local tool whose provenance was not reviewed in these artifacts.
The skill depends on an external CLI for search, but the registry requirements declare no required binaries and there is no install spec. This is purpose-aligned, but users should know what local tool is being invoked.
miaoda-studio-cli search-summary --query "比特币 BTC 加密市场 今日行情 2026" --output text
Declare the required CLI, document its source, and keep its use limited to the stated search-summary queries.
Users could treat generated crypto trading suggestions as reliable financial advice.
The skill asks the agent to produce concrete crypto trading suggestions, while also branding the output as a briefing and saying it is not investment advice. This is disclosed and aligned with the skill purpose, but users may over-trust the generated recommendations.
📌 操作建议 [简明建议] ... ETH 回踩 $2,345-2,355 可分批布局多单,止损 $2,310
Keep recommendations clearly labeled as informational, include uncertainty and source timestamps, and avoid presenting specific trades as instructions.