ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Cv Weekly

v7.0.1

Generates in-depth weekly AI/Computer Vision reports by aggregating data from multiple sources with plugin-based pipeline and multi-channel delivery.

0· 212·1 current·1 all-time
by@llx9826

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for llx9826/ai-cv-weekly.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ai Cv Weekly" (llx9826/ai-cv-weekly) from ClawHub.
Skill page: https://clawhub.ai/llx9826/ai-cv-weekly
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ai-cv-weekly

ClawHub CLI

Package manager switcher

npx clawhub@latest install ai-cv-weekly
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is advertised as an 'Ai Cv Weekly' reporter but the bundle is the general 'ClawCat Brief' briefing engine (planners, many adapters, grounding, renderers, Playwright, akshare finance adapters, registry.json, etc.). A dedicated AI/Computer-Vision weekly skill would not normally include wide-ranging news/finance adapters, a skill_proxy adapter, or full Playwright-based rendering. This mismatch could be benign (a generic engine configured to produce CV reports) but it is an unexplained divergence from the declared purpose.
Instruction Scope
SKILL.md exposes three host-mode tools (plan_report, fetch_data, render_report) and documents a standalone CLI mode requiring an LLM API key in config.yaml. The runtime instructions do not ask the agent to read unrelated system files or secrets beyond the optional LLM key. The SKILL.md and repository contain extensive guidance and embedded assets (including a base64 logo file), and the SKILL.md content triggered a 'base64-block' pre-scan pattern (likely from embedded static assets) — this is not intrinsically malicious but worth noting.
Install Mechanism
No install spec is declared (instruction-only in registry), and the codefiles are included in the skill bundle rather than downloaded at install time. There are no external URL downloads in the install metadata. However the code depends on heavy runtime packages (Playwright, HTTP clients, akshare, Playwright needs a system browser) which may require additional system-level install steps not declared in registry metadata.
Credentials
The registry declares no required environment variables or credentials. The standalone CLI mode, however, expects an LLM API key in config.local.yaml/.env if you run the pipeline locally. The project performs wide network access (many public news and data endpoints) and can invoke external adapters; while no secrets are required by default, granting it an LLM API key or allowing it to import external modules (via the skill_proxy/registry mechanism) increases its capability surface and should be considered carefully.
Persistence & Privilege
The skill does not request 'always: true' nor declare system-wide config changes. It doesn't appear to modify other skills' configurations. Autonomous invocation is allowed (platform default) but not combined with other high-privilege flags.
Scan Findings in Context
[base64-block] expected: A base64 block is present (static/luna_logo_b64.txt and embedded assets). For a packaged repo with static logo or assets this is expected. It was flagged by the pattern detector in SKILL.md but by itself is not evidence of malicious intent.
What to consider before installing
What to check before installing or running this skill: - Purpose mismatch: The registry name/description ('Ai Cv Weekly') is narrow, but the bundle is a generic briefing engine (ClawCat) with many adapters (news, finance, search), rendering (Playwright), and pipeline components. If you only want a CV‑focused weekly, ask the publisher or inspect registry.json/config to ensure only the intended sources are enabled. - Network activity: The code fetches data from many public endpoints (news APIs, search engines, social feeds). Expect outbound HTTP(S) traffic; run in an environment where that is acceptable. - Playwright and system deps: The repo uses Playwright for HTML→PDF/PNG. Playwright requires a browser runtime (Chromium) and may need extra installation. Confirm system requirements before running. - LLM API keys: Standalone mode requires an LLM API key in config.local.yaml or env; only provide keys if you trust the skill and run it in a controlled environment. In host-skill mode (plan_report/fetch_data/render_report), no key is required by the skill itself. - skill_proxy / dynamic import risk: The adapters include a skill_proxy adapter that can bridge to other skill modules by name. Check registry.json for any entries that import external or unexpected modules — arbitrary import/call can expand what code executes when fetch_data runs. - Review registry.json and adapters: Inspect which sources are enabled by default and any adapter code that posts or forwards data. The repo is large but readable; scan the adapters you expect to use. - Run in a sandbox first: Execute the CLI or host calls in an isolated/testing environment to observe network calls, filesystem writes, and any browser activity before enabling in production. - Provenance: The skill owner/source is unknown and there is no homepage. If provenance matters for your use, ask the publisher for clarification or prefer a skill with clear author/source. If you want, I can: - Extract and summarize registry.json and which data sources are enabled by default. - List runtime Python dependencies and any system-level requirements (e.g., Playwright browsers) from requirements.txt. - Point out places in the code to edit if you want to restrict sources or disable Playwright rendering.
!
clawcat/adapters/registry.json:180
Install source points to URL shortener or raw IP.
!
config.yaml:22
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk975b68whbqdeaqevksjnvj12183w7vk
212downloads
0stars
4versions
Updated 2h ago
v7.0.1
MIT-0
@llx9826
latest
Download

ClawCat Brief — AI 简报引擎 Skill

本项目提供两种使用模式。请根据你的角色选择:

宿主 AI 模式(推荐)

如果你是 Cursor / OpenClaw 等宿主 AI,请阅读:

clawcat_skill/SKILL.md

该模式提供三个工具函数(plan_report / fetch_data / render_report), 你只需调用工具获取数据和渲染,内容撰写由你完成,无需额外 LLM API Key。

from clawcat_skill import plan_report, fetch_data, render_report

独立运行模式

如果你想独立运行完整 pipeline(自带 LLM),使用 CLI:

python -m clawcat.cli "做个每日 AI 新闻"
python -m clawcat.cli "OCR 技术周报"
python -m clawcat.cli "今天 A 股怎么样"

此模式需要在 config.yamlconfig.local.yaml 中配置 LLM API Key。

ClawCat Brief · Built by llx & Luna

Comments

Loading comments...