ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agentic Payment Daily

v1.0.0

Generate and deliver a daily Agentic Payment news briefing covering Visa Greater China updates, market trends, competitor protocols, and regulatory signals.

0· 97·0 current·0 all-time
by@juncaijames·duplicate of @juncaijames/ap-daily-report

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for juncaijames/agentic-payment-daily.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Agentic Payment Daily" (juncaijames/agentic-payment-daily) from ClawHub.
Skill page: https://clawhub.ai/juncaijames/agentic-payment-daily
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install agentic-payment-daily

ClawHub CLI

Package manager switcher

npx clawhub@latest install agentic-payment-daily
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (generate & deliver a daily Agentic Payment briefing) matches the SKILL.md and the included convert-ap-report.mjs script. However there are mismatches: it embeds a specific local Obsidian path (/Users/juncai/... ) and a hard-coded WeChat recipient/accountId which are highly specific to one user. The package lists no required binaries or env vars, but the script clearly requires Node and external npm tools (md-to-pdf / puppeteer) to function. These hard-coded targets and undeclared dependencies are disproportionate to a generic 'daily report' skill and reduce portability and safety.
!
Instruction Scope
SKILL.md explicitly instructs the agent to read local Obsidian files (previous reports) at an absolute path and to write a new MD file at that same path — i.e., it will read and write arbitrary user content from a specific local directory. It also instructs delivering the PDF via a 'message' tool to a specific WeChat channel/target/accountId. Delivering artifacts to a hard-coded external recipient is effectively an exfiltration sink and is outside what a neutral, general-purpose skill should assume.
Install Mechanism
There is no install spec (instruction-only + one script). The included Node script uses execSync to call md-to-pdf and, as a fallback, launches puppeteer. That implies the environment must have Node and npm packages (md-to-pdf, puppeteer) installed; puppeteer may download Chromium at runtime. Because no install is declared, the skill will fail unless the environment already satisfies these dependencies — and running these tools can trigger network downloads and execution of native code. This is not inherently malicious but is an operational and supply-chain risk that was not declared.
!
Credentials
The skill declares no required environment variables or credentials, yet it contains hard-coded external delivery details (WeChat channel, target, accountId). That means any data the agent reads from the local Obsidian vault will be pushed to that external recipient without asking for or documenting credentials; there's no mechanism here for the installing user to review or override the destination. The embedded absolute paths and target identifiers are disproportionate because they grant the skill implicit access to potentially sensitive local content and a remote recipient.
Persistence & Privilege
always is false and the skill does not request system-wide changes in its files. The SKILL.md suggests adding a cron job, but the skill itself does not force always-on behavior or modify other skills' configurations. Its write actions are limited to the specified Obsidian path and /tmp PDF output, which is appropriate for its purpose — though the specific path is user-specific (see other concerns).
What to consider before installing
This skill appears to implement the advertised report generation, but it embeds hard-coded local paths and a specific WeChat delivery target (recipient + accountId). Before installing or running it: 1) Verify you trust the author and that the embedded local path and WeChat target are correct for your environment — otherwise the skill could read and push your local notes to someone else. 2) Ensure Node and the required npm tools (md-to-pdf, puppeteer) are installed from trusted sources; running puppeteer may download Chromium. 3) Consider editing the SKILL.md/script to remove hard-coded delivery targets and instead prompt for or use configurable environment variables for output destinations. 4) Test the script in a sandbox / non-production account and inspect the generated PDF and delivery behavior. 5) If you cannot confirm the destination and owner identity, do not enable autonomous runs (disable autonomous invocation or run manually) and do not schedule the cron until the delivery target is verified.
scripts/convert-ap-report.mjs:147
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xkec08bmq4at61a2dpfrn983xwfh
97downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@juncaijames
latest
Download

Agentic Payment Daily Report

Daily briefing for Visa Greater China Agentic Payment lead (Visa Intelligent Commerce).

Workflow

0. Deduplicate against previous reports

Before searching, read the previous 2 days' reports from Obsidian:

  • /Users/juncai/Documents/OBVault-MacMini/02_work/Visa工作/VIC/Agentic-Payment-Daily-Report/YYYY-MM-DD.md

Extract each reported news item's headline and source URL. During curation (step 1), filter out items that are:

  • Exact duplicate: same URL already reported
  • Near duplicate: same topic/event with no meaningful new development
  • Keep if updated: same topic but significant new development (merge update into existing entry)

1. Search & Curate (max 10 items)

Search for Agentic Payment news. Priority order:

  1. Visa dynamics — Agentic Ready, VIC, Trusted Agent Protocol, APAC/China partnerships
  2. China/APAC market — agentic payment adoption, pilots, launches
  3. Competitor protocols — Mastercard Agent Pay, Stripe MPP/Tempo, Google AP2, Coinbase x402, MoonPay OWS
  4. Regulatory & data — compliance signals, industry data, trend analysis

2. Format each item

### [Tag] Headline
- **摘要 / Summary:** 2-3 sentences (bilingual if English source)
- 💡 **So What:** Why this matters for Visa Greater China VIC
- 🎯 **Action Item:** What to consider doing based on this
- 🔗 Source: [title](url)

Tags: 🔴 重点必读 / 🟡 值得关注 / 🟢 背景信息

3. Deliver

A) Write to Obsidian

Path: /Users/juncai/Documents/OBVault-MacMini/02_work/Visa工作/VIC/Agentic-Payment-Daily-Report/YYYY-MM-DD.md

Frontmatter:

---
title: "Agentic Payment 日报 - YYYY-MM-DD"
date: YYYY-MM-DD
tags: agentic-payment, visa, daily-report
---

B) Generate PDF

node scripts/convert-ap-report.mjs <obsidian-md-path> "/tmp/Agentic Payment日报-YYYY-MM-DD.pdf"

C) Push to WeChat

  1. Send PDF as document via message tool: action: send, channel: openclaw-weixin, target: o9cq80wFt50OIoe6Wk8BEIOaC6x4@im.wechat, accountId: 26eb1d27b81b-im-bot, media: /tmp/Agentic Payment日报-YYYY-MM-DD.pdf, forceDocument: true
  2. Output report text as final reply (system will auto-deliver via announce)

Cron Setup

Schedule: 50 8 * * * Asia/Shanghai (delivered to WeChat).

To create/update the cron job, use the payload message below as the agent prompt, with delivery configured for the target WeChat account.

Cron Prompt

按照 agentic-payment-daily skill 生成今日日报。

步骤A:写入 Obsidian(路径 YYYY-MM-DD.md,短横线格式)→ echo "STEP A DONE"
步骤B:生成 PDF → echo "STEP B DONE"
步骤C:微信推送 PDF(channel: openclaw-weixin, target: o9cq80wFt50OIoe6Wk8BEIOaC6x4@im.wechat, accountId: 26eb1d27b81b-im-bot)→ echo "STEP C DONE"
步骤D:输出日报全文 → echo "STEP D DONE"

如果任何步骤失败,修复并重试。

Notes

  • Timeout budget: ~10 minutes (search + write + PDF + push)
  • If WeChat push fails, ensure Obsidian file and PDF are still saved (they are the primary artifacts)
  • Quality over quantity

Comments

Loading comments...