ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Daily CEO Briefing Generator

v1.0.3

每日简报生成 skill。自动抓取 28 个来源的实时内容,生成 CEO 风格的深度分析简报。触发条件:用户请求"每日简报"、"科技新闻"、"AI 简报"。核心功能:RSS 抓取 → JSON 数据 → AI 生成 CEO 简报。

0· 98·0 current·0 all-time
byzylorra@yhlorra

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yhlorra/lorra-ceo-briefing.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Daily CEO Briefing Generator" (yhlorra/lorra-ceo-briefing) from ClawHub.
Skill page: https://clawhub.ai/yhlorra/lorra-ceo-briefing
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lorra-ceo-briefing

ClawHub CLI

Package manager switcher

npx clawhub@latest install lorra-ceo-briefing
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and instructions: scripts fetch many news sources (HN, GitHub, Product Hunt, Chinese outlets, HF papers, newsletters) and produce a Markdown briefing. No unexpected cloud credentials or unrelated binaries are requested; README and code state 'zero-config' and indeed requires no env vars.
Instruction Scope
SKILL.md instructs running the included Python scripts (daily_briefing.py → generate_ceo_briefing.py) and tells the agent to read local reference files for generation — this is expected. However, the SKILL.md contained a pre-scan finding for 'unicode-control-chars' (a common prompt‑injection pattern). Also the code and README explicitly describe bypassing anti-bot protections ('Playwright 绕过 Cloudflare'), which expands the skill's runtime scope to active web scraping and evasion behavior; that's legitimate for an aggregator but raises operational and legal/ethical considerations.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the project includes runnable Python code requiring dependencies and Playwright (README instructs pip install -r requirements.txt and 'playwright install chromium'). Running these scripts will download/execute Chromium and perform network fetches. No arbitrary remote installers or obscure URLs were found, but the runtime will install large browser components and execute headless browsers — review before running.
Credentials
The skill requests no environment variables or secrets and declares no primary credential. The code uses public HTTP APIs and web scraping; it does not require AWS/GitHub/other tokens. This is proportionate to the aggregator purpose.
Persistence & Privilege
Flags show always:false and user-invocable:true. The skill does not request elevated system privileges nor claim permanent presence. It writes its outputs to a reports/ directory inside the skill tree (normal).
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md was flagged for Unicode control characters that can be used in prompt‑injection attacks. That is unrelated to RSS scraping/brief generation and should be inspected — it may be accidental (editor artifact) or intentionally trying to influence agent/evaluator parsing.
What to consider before installing
What to check before installing/running: 1) Inspect SKILL.md for hidden characters: the registry scan found unicode control characters in SKILL.md — open the file in a hex/Unicode‑aware editor and remove any unexpected control codes. Treat that as higher risk than normal typos. 2) Review the scripts locally before execution: the repo contains many scraping scripts that launch Playwright/Chromium and call external URLs. Ensure you understand which sites will be fetched and why. Running them will download and execute a headless browser. 3) Legal/ethical caution: the code intentionally applies anti‑bot evasion flags (e.g. '--disable-blink-features=AutomationControlled') and mentions '绕过 Cloudflare.' That can violate terms of service for some sites; confirm you have permission to scrape the listed sources. 4) Run in isolation: if you decide to try it, run the skill in a sandboxed environment (container or VM) so that network activity and the downloaded browser are contained. 5) Reduce blast radius: consider modifying profiles to limit sources or disable Playwright 'deep fetch' on sensitive sites. You can run fetchers with '--no-save' or steer the profile to only use APIs that return JSON. 6) Confirm no hidden exfil endpoints: while no suspicious remote endpoints were found in the provided files, you should audit any remaining truncated files in the repository and greps for suspicious domains or encoded strings. 7) If you lack time/skills: treat this skill as 'not ready for blind install' — ask the publisher for provenance (homepage, git URL, maintainer) or request a minimal version that only uses official APIs (no evasive Playwright scraping). If you want, I can: (a) give a short checklist and commands to safely review the repository locally, (b) scan the remaining omitted files for suspicious patterns, or (c) help sanitize SKILL.md to remove control characters.

Like a lobster shell, security has layers — review code before you run it.

agentvk970y3qfdftf9ssh628sm7mbfn83rv0rbriefingvk970y3qfdftf9ssh628sm7mbfn83rv0rchinesevk970y3qfdftf9ssh628sm7mbfn83rv0rlatestvk970y3qfdftf9ssh628sm7mbfn83rv0rnewsvk970y3qfdftf9ssh628sm7mbfn83rv0ropenclawvk970y3qfdftf9ssh628sm7mbfn83rv0r
98downloads
0stars
4versions
Updated 1mo ago
v1.0.3
MIT-0
zylorra@yhlorra
agentbriefingchineselatestnewsopenclaw
Download

News Aggregator Skill

每日简报生成:抓取 28 个来源 → 生成 CEO 风格简报。

工作流程

# 1. 抓取数据(任意来源组合)
python3 scripts/daily_briefing.py --profile <profile>

# 2. 生成 CEO 简报
python3 scripts/generate_ceo_briefing.py --date YYYY-MM-DD

输出:reports/YYYY-MM-DD/ceo_briefing.md


## 可用简报模板

| Profile | 来源 | 用途 |
|---------|------|------|
| `general` | HN + PH + GitHub + V2EX + 左翼媒体 | 综合早报(CEO 风格) |
| `insights` | HN + PH + GitHub(精选) | 高价值洞察 |
| `finance` | WallStreetCN + 36Kr + 腾讯 | 财经日报 |
| `tech` | GitHub + HN + Product Hunt | 科技日报 |
| `ai_daily` | HF Papers + AI Newsletters | AI 深度日报 |
| `social` | Weibo + V2EX | 吃瓜日报 |
| `github` | GitHub Trending | GitHub 精选 |
| `reading_list` | Essays + Podcasts | 阅读/听力清单 |

## 关键文件

| 文件 | 作用 |
|------|------|
| `scripts/generate_ceo_briefing.py` | 读取 JSON + instruction → AI 生成 CEO 简报 |
| `scripts/daily_briefing.py` | 抓取多来源数据,输出 unified JSON |
| `references/briefing_general.md` | CEO 简报 instruction(AI 阅读此文件生成内容) |
| `scripts/fetch_news.py` | 单来源抓取器 |

## Instruction 参考(AI 使用)

对于 CEO 风格简报生成,AI 会自动读取 `references/briefing_general.md`,该文件定义了:
- Executive Summary(今日要点)格式
- 按主题分组而非排行榜
- Impact 分析而非热度数字
- 读后思考题

如需调整简报格式,修改 `references/briefing_general.md` 即可。

## 指令文件

- `references/briefing_general.md` - CEO 综合早报
- `references/briefing_finance.md` - 财经日报
- `references/briefing_tech.md` - 科技日报
- `references/briefing_ai_daily.md` - AI 深度日报
- `references/briefing_social.md` - 社交/吃瓜日报
- `references/briefing_github.md` - GitHub 精选

---
楚泉 & lorra 共同出品

Comments

Loading comments...