ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Daily Report

v1.0.0

每日自动生成 AI 资讯日报并发送。使用场景:用户说 “生成 AI 日报” 或者系统通过定时任务触发。关键词包括:AI日报、AI资讯、开源AI项目、每日报告。

0· 114·2 current·2 all-time
by@fireflywwj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for fireflywwj/ai-daily-report.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ai Daily Report" (fireflywwj/ai-daily-report) from ClawHub.
Skill page: https://clawhub.ai/fireflywwj/ai-daily-report
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ai-daily-report

ClawHub CLI

Package manager switcher

npx clawhub@latest install ai-daily-report
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (daily AI report) matches what the scripts do: fetch RSS/GitHub, render SVG/PNG, and send via Feishu. However the registry metadata declares no required env vars or binaries while the code clearly expects GITHUB_TOKEN and FEISHU_CHAT_ID and depends on external tools (openclaw CLI, rsvg-convert/ImageMagick). That omission is an incoherence (likely sloppy packaging) but not by itself malicious.
!
Instruction Scope
The SKILL.md and scripts instruct network calls (RSS feeds, GitHub API) and subprocess invocations. send_report.py calls the 'openclaw' CLI to upload and send files; this invokes an external agent-managed tool that could access agent-level credentials or other tooling. SKILL.md suggests storing GITHUB_TOKEN in ~/.openclaw/env (a system-level location) which implies reading system environment/config—this is not fully reflected in registry declarations. The skill does not instruct reading unrelated user files, but the ability to call the openclaw CLI broadens what the skill can do at runtime and is not documented as a required binary.
Install Mechanism
No install spec (instruction-only) and all code is included in the bundle: low install risk. But runtime depends on Python packages (feedparser, jinja2, optional googletrans/cairosvg), plus system binaries (rsvg-convert or ImageMagick) and the 'openclaw' CLI—none of which are declared in the registry metadata. The absence of declared runtime dependencies is a packaging/information gap to fix.
!
Credentials
The code requires GITHUB_TOKEN (for GitHub Search API) and FEISHU_CHAT_ID (destination chat) though the registry lists no required env vars. GITHUB_TOKEN is reasonable for the GitHub API, but token scope matters — a token with broad repo or org scopes would be excessive for simple read-only search. FEISHU_CHAT_ID itself is not a secret but the upload/send flow relies on the agent's Feishu credentials (not declared) and could be used to exfiltrate generated content to an attacker-controlled chat if misconfigured.
Persistence & Privilege
always:false and default autonomous invocation are normal. The skill does not request persistent 'always' inclusion and does not modify other skills. Note: it invokes the 'openclaw' CLI which has platform-level reach; that increases blast radius only if the CLI has broad permissions.
What to consider before installing
Things to check before installing or enabling this skill: - Confirm required environment variables and scopes: GITHUB_TOKEN (used for GitHub API) and FEISHU_CHAT_ID (where the PNG is sent). Make sure the GITHUB_TOKEN is read-only (minimal scopes) so it cannot be misused. - Verify the agent environment provides the 'openclaw' CLI and understand what credentials that CLI uses (the scripts call 'openclaw tool feishu_doc' and 'openclaw tool message'). If the CLI uses global agent credentials, ensure those credentials are limited and trusted, because the skill will invoke that CLI to upload/send files. - Ensure required runtime tools are present and acceptable: rsvg-convert or ImageMagick (system binary), and Python packages (feedparser, jinja2, optional googletrans/cairosvg). These are not declared in registry metadata—ask the publisher to update metadata. - Review who published this skill (source is unknown). Prefer skills from known publishers or ask the author to provide a homepage and proper registry declarations (required env, required binaries, and minimal token scope guidance). - Test in a sandboxed environment first and inspect where reports are sent (FEISHU_CHAT_ID). If you don't want automatic sending, run the pipeline locally and review outputs before enabling automated delivery. If the publisher updates the registry to declare the env vars and binaries, documents the exact token scopes required, and identifies the source/homepage, this would reduce the concerns and could move the assessment to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk978jy3dzry4r6csw6xmqe93v983ve30
114downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@fireflywwj
latest
Download

AI 每日报告 Skill

目标

  • 自动抓取最近 24 小时内的 AI 相关新闻(约 5 条)
  • 拉取 GitHub 上最近 24 小时星增量最高、且星数>10k 的优秀开源 AI 项目(约 3 条)
  • 将信息整理成 Markdown 报告
  • 用 SVG 生成一页可视化报告页面
  • 将 SVG 转为 PNG 并通过 Feishu 把图片发送给用户

工作流概述

  1. 抓取新闻scripts/fetch_news.py 使用公开的 RSS/新闻 API,返回 JSON 列表 [{title, link, source, date}]
  2. 抓取项目scripts/fetch_top_projects.py 调用 GitHub Search API(需要 GITHUB_TOKEN 环境变量),返回 [{name, html_url, stars, description}]
  3. 生成报告scripts/generate_report.py 接收新闻+项目数据,生成 report.md 同时渲染 report.svg(基于 Jinja2 SVG 模板 references/report_template.svg)。
  4. SVG→PNGscripts/svg_to_png.py 调用 rsvg-convert(或 magick convert)把 report.svg 转成 report.png
  5. 发送scripts/send_report.py 使用 Feishu doc API (feishu_doc action=upload_file) 把 PNG 作为文件上传到当前会话并返回链接。

触发方式

  • 自然语言触发(聊天): 当用户说出以下任意词句时,Skill 自动启动:
    • “生成 AI 日报”
    • “帮我做 AI 资讯报告”
    • “每日 AI 报告”
  • 定时触发(cron): 可以在 HEARTBEAT.md 或系统 cron 中调用 scripts/run_daily_report.sh,该脚本内部执行同样的 pipeline 并使用 feishu_doc 发送给预设的聊天 ID(可通过环境变量 FEISHU_CHAT_ID

资源结构

ai-daily-report/
├── SKILL.md                     # 本文件
├── scripts/
│   ├── fetch_news.py
│   ├── fetch_top_projects.py
│   ├── generate_report.py
│   ├── svg_to_png.py
│   ├── send_report.py
│   └── run_daily_report.sh      # 用于 cron 调用(可选)
└── references/
    └── report_template.svg      # Jinja2 SVG 模板

示例调用(聊天)

用户: 生成 AI 日报

OpenClaw 读取 description,匹配成功 → 加载 SKILL.md,按上述步骤执行。最终在聊天中返回一条包含 PNG 报告的消息,例如:

已为您生成今日 AI 报告,请查收附件。
```(图片作为附件发送)

---
## 参考文档
- `references/report_template.svg` – SVG 布局模板,使用 Jinja2 变量 `{{date}}`, `{{news}}`, `{{projects}}`。
- `references/github_search.md` – GitHub Search API 使用说明。
- `references/rss_news.md` – 常用 AI 新闻 RSS 源列表。

---
## 常见问题
- **需要 GitHub Token 吗?** 是的,请在 `~/.openclaw/env` 或系统环境变量中设置 `GITHUB_TOKEN`。
- **每日运行在哪里配置?** 在 `HEARTBEAT.md` 添加行 `run: /home/ft/.openclaw/workspace/skills/ai-daily-report/scripts/run_daily_report.sh`,或者使用系统 `cron`。
- **如果 Feishu 上传失败怎么办?** `send_report.py` 会捕获错误并返回文字提示,建议检查 `FEISHU_CHAT_ID` 是否正确,以及机器人的文件上传权限。

Comments

Loading comments...