ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AP Daily Report

v1.0.0

Generate and deliver a daily Agentic Payment news briefing covering Visa dynamics, China/APAC market, competitor protocols, and regulatory updates for Visa G...

0· 97·0 current·0 all-time
by@juncaijames

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for juncaijames/ap-daily-report.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "AP Daily Report" (juncaijames/ap-daily-report) from ClawHub.
Skill page: https://clawhub.ai/juncaijames/ap-daily-report
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ap-daily-report

ClawHub CLI

Package manager switcher

npx clawhub@latest install ap-daily-report
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's actions (read previous reports, create a markdown file in an Obsidian vault, render to PDF, and push to WeChat) are coherent with the declared purpose of generating and delivering a daily report. However, the SKILL.md contains a hardcoded absolute Obsidian path (/Users/juncai/...), a hardcoded WeChat recipient and accountId, and the _meta.json ownerId differs from the registry ownerId — these are user-specific items that make the skill appear tailored for a particular person's environment rather than a generic, shareable skill.
!
Instruction Scope
The runtime instructions explicitly tell the agent to read and write files under a specific user's Obsidian vault path and to send a PDF to a specific external WeChat account. Reading/writing the user's local vault is within the stated purpose but is sensitive: it accesses local documents and will transmit the generated PDF externally. The instructions also assume a 'message' tool exists and that the agent has credentials to push to that WeChat account (these credentials are not declared or scoped in the skill), which expands the real-world side-effects beyond simple local formatting.
!
Install Mechanism
There is no install spec (instruction-only), but the included script (convert-ap-report.mjs) invokes external tools via execSync: it expects Node to be present and attempts to use 'md-to-pdf' and falls back to launching puppeteer. The skill declares no required binaries or packages, so there's a mismatch between declared requirements (none) and actual runtime dependencies (node, md-to-pdf, puppeteer and their transitive dependencies). That mismatch could cause failures or surprise the user when the agent attempts to install/execute missing tooling.
!
Credentials
requires.env lists no credentials, but the skill will transmit content to a hardcoded external WeChat target and accountId. The skill relies on the agent environment's messaging tool and its credentials without declaring or scoping them. While sending the report is part of the purpose, the lack of clear credential declarations and the presence of hardcoded external targets increases risk of unintended data exfiltration if the skill is reused in a different environment.
Persistence & Privilege
The skill is not marked always:true and does not request permanent system-wide privileges. It suggests setting up a cron job but does not itself contain an install script that modifies system cron or other agent configs. Autonomous invocation is allowed (platform default), which is expected for a scheduled report skill; this combination is reasonable but the user should be aware that the skill's cron instructions enable repeated automated reads and external sends.
What to consider before installing
This skill appears to do what it says, but exercise caution before installing. Key points: - It reads and writes files in a hardcoded Obsidian path (/Users/juncai/...). If that path does not belong to you, update the path before running or decline installation. - It will send the generated PDF to a hardcoded WeChat recipient and accountId. Confirm you trust that recipient and change the target if needed. - The bundled script expects Node and external renderers (md-to-pdf and/or puppeteer) but the skill declares no required binaries; ensure your runtime has Node and those packages installed or the PDF step will fail. - The metadata shows an owner mismatch between registry and _meta.json — ask the publisher who maintains this skill and why the IDs differ before trusting it. - If you plan to enable scheduled/autonomous runs (cron), remember this will repeatedly read local vault files and transmit reports externally; review and sanitize any sensitive content before enabling. If you decide to use this skill: update/remove hardcoded paths/recipient, install Node/md-to-pdf/puppeteer in a controlled environment, and test once manually to confirm behavior before enabling automated runs.
scripts/convert-ap-report.mjs:147
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d9xyeqvenj83av8h0am3k9583x6nz
97downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
@juncaijames
latest
Download

Agentic Payment Daily Report

Daily briefing for Visa Greater China Agentic Payment lead (Visa Intelligent Commerce).

Workflow

0. Deduplicate against previous reports

Before searching, read the previous 2 days' reports from Obsidian:

  • /Users/juncai/Documents/OBVault-MacMini/02_work/Visa工作/VIC/Agentic-Payment-Daily-Report/YYYY-MM-DD.md

Extract each reported news item's headline and source URL. During curation (step 1), filter out items that are:

  • Exact duplicate: same URL already reported
  • Near duplicate: same topic/event with no meaningful new development
  • Keep if updated: same topic but significant new development (merge update into existing entry)

1. Search & Curate (max 10 items)

Search for Agentic Payment news. Priority order:

  1. Visa dynamics — Agentic Ready, VIC, Trusted Agent Protocol, APAC/China partnerships
  2. China/APAC market — agentic payment adoption, pilots, launches
  3. Competitor protocols — Mastercard Agent Pay, Stripe MPP/Tempo, Google AP2, Coinbase x402, MoonPay OWS
  4. Regulatory & data — compliance signals, industry data, trend analysis

2. Format each item

### [Tag] Headline
- **摘要 / Summary:** 2-3 sentences (bilingual if English source)
- 💡 **So What:** Why this matters for Visa Greater China VIC
- 🎯 **Action Item:** What to consider doing based on this
- 🔗 Source: [title](url)

Tags: 🔴 重点必读 / 🟡 值得关注 / 🟢 背景信息

3. Deliver

A) Write to Obsidian

Path: /Users/juncai/Documents/OBVault-MacMini/02_work/Visa工作/VIC/Agentic-Payment-Daily-Report/YYYY-MM-DD.md

Frontmatter:

---
title: "Agentic Payment 日报 - YYYY-MM-DD"
date: YYYY-MM-DD
tags: agentic-payment, visa, daily-report
---

B) Generate PDF

node scripts/convert-ap-report.mjs <obsidian-md-path> "/tmp/Agentic Payment日报-YYYY-MM-DD.pdf"

C) Push to WeChat

  1. Send PDF as document via message tool: action: send, channel: openclaw-weixin, target: o9cq80wFt50OIoe6Wk8BEIOaC6x4@im.wechat, accountId: 26eb1d27b81b-im-bot, media: /tmp/Agentic Payment日报-YYYY-MM-DD.pdf, forceDocument: true
  2. Output report text as final reply (system will auto-deliver via announce)

Cron Setup

Schedule: 50 8 * * * Asia/Shanghai (delivered to WeChat).

To create/update the cron job, use the payload message below as the agent prompt, with delivery configured for the target WeChat account.

Cron Prompt

按照 agentic-payment-daily skill 生成今日日报。

步骤A:写入 Obsidian(路径 YYYY-MM-DD.md,短横线格式)→ echo "STEP A DONE"
步骤B:生成 PDF → echo "STEP B DONE"
步骤C:微信推送 PDF(channel: openclaw-weixin, target: o9cq80wFt50OIoe6Wk8BEIOaC6x4@im.wechat, accountId: 26eb1d27b81b-im-bot)→ echo "STEP C DONE"
步骤D:输出日报全文 → echo "STEP D DONE"

如果任何步骤失败,修复并重试。

Notes

  • Timeout budget: ~10 minutes (search + write + PDF + push)
  • If WeChat push fails, ensure Obsidian file and PDF are still saved (they are the primary artifacts)
  • Quality over quantity

Comments

Loading comments...