Skillv1.0.0

ClawScan security

daily-news-push · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 9:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent with a daily news-generation-and-push tool; it doesn't request unrelated credentials or perform hidden network exfiltration beyond the expected webhook/IM delivery and web searches.
Guidance: This package appears to do what it says: gather recent web content (via the agent's web_search tool), format it, and send it to your configured channel. Before installing, confirm: 1) your OpenClaw deployment provides the web_search tool and the messaging tools (wecom_mcp / feishu IM) the skill expects — otherwise Feishu/WeCom code prints JSON but will not actually send messages; 2) if you use Webhook, only supply webhook URLs you trust (the script will POST the full report to that URL, including any content the AI gathered); 3) the skill uses the requests library for Webhook POSTs — ensure requests is available in your environment; 4) the skill does not request secrets itself, but you will need to provide any delivery credentials/URLs in config.py; and 5) validate that allowing the agent to run web_search and create content aligns with your privacy/usage policies because the agent will perform external web queries and include sources/links in outgoing messages.

Purpose & Capability: okName/description (daily news generation and push) match the included code and SKILL.md. The files implement search/format/generate and push via WeCom/Feishu/Webhook. No unrelated binaries, env vars, or configuration paths are requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to use the platform's standard web_search tool to collect recent news — this is expected for the skill's purpose. Note: the skill assumes the agent environment provides a web_search tool and (for WeCom/Feishu) platform-specific messaging tools (wecom_mcp / feishu_im_user_message). The init flow writes a local config.py; the code does not attempt to read unrelated system files or environment variables.
Install Mechanism: okNo install spec (instruction-only). The bundle includes Python scripts only; nothing is downloaded from external or unfamiliar URLs and no archives are extracted. Low install risk.
Credentials: okThe skill requires no declared environment variables or credentials. It does accept user-supplied webhook URLs or receiver IDs via config.py (expected for delivery). There are no requests for unrelated secrets or system credentials in code or docs.
Persistence & Privilege: okalways is false and the skill does not request permanent platform-level privileges. The skill writes only a local config.py during interactive setup and does not modify other skills or global agent settings.