ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

推送到负一屏

v1.0.0

将任务执行结果推送到负一屏卡片显示,支持普通推送和定时任务推送

1· 71·0 current·0 all-time
byas@pingjiang
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, tools.json, and the included CLI code consistently implement a push-to-Today (负一屏) feature; requiring Node is expected for a Node CLI. The parameters and network call in the code align with the stated purpose.
Instruction Scope
SKILL.md and tools.json instruct the agent to execute node scripts/cli.js with session-derived msgId and content. SKILL.md also mandates that scheduled tasks be pushed immediately without user confirmation — this is within the skill's purpose (automation) but is a behavioral/privacy consideration (no opt-out or confirmation).
Install Mechanism
No install spec or external downloads are present; the skill is instruction-only plus a bundled CLI script. No archive downloads or third-party installers are used.
!
Credentials
The CLI and SKILL.md require AS_TODAY_AUTH_CODE (and optionally AS_TODAY_API_URL). However, the registry-level metadata at the top of the submission lists no required env vars/primary credential — a packaging inconsistency that can cause silent misconfiguration. README references a DEBUG env var used by the code but DEBUG is not declared in SKILL.md metadata. The default API endpoint in the code is https://api.example.com/push2today (a placeholder) — you should verify the real endpoint before using the token.
Persistence & Privilege
Skill is not always:true, does not request system-wide config paths, and does not modify other skills. It can be invoked autonomously (default), which is normal for skills; combined with the forced auto-push rule, this increases the risk of automatic pushes but is not a privilege escalation by itself.
What to consider before installing
Before installing: 1) Confirm the AS_TODAY_API_URL points to a trusted service — the bundled default is api.example.com (placeholder). 2) Only provide an auth token (AS_TODAY_AUTH_CODE) with minimal privileges and avoid reusing high-privilege secrets. 3) Be aware scheduled tasks are configured to push immediately without asking the user; if that's undesired, do not enable automatic scheduling or modify the skill. 4) Registry metadata omits the declared required env var (AS_TODAY_AUTH_CODE) — verify your OpenClaw config sets this env so the skill won't fail or attempt to use an incorrect endpoint. 5) The CLI uses global fetch (Node >=18 or a polyfill required); ensure your runtime is compatible. 6) If you do not trust the upstream endpoint or the author (homepage and repo look like placeholders), review/modify the scripts/cli.js code to point to a known endpoint or avoid installing.
scripts/cli.js:23
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
latestvk97a54z42fhwyfbz4em197a74583xx16
71downloads
1stars
1versions
Updated 2w ago
v1.0.0
MIT-0
as@pingjiang
latest
Download

Push2Today

将任务执行结果推送到负一屏显示。

工具说明

此 Skill 通过 tools.json 定义 push2today 工具,执行 scripts/cli.js 命令实现推送功能。

触发条件

以下任一触发短语都会激活此 skill:

  • "推送到负一屏"
  • "帮我推送到负一屏"
  • "将结果推送到负一屏"
  • "推送到手机"
  • "帮我推送到手机"
  • "帮我推送到手机负一屏"
  • "发送到手机负一屏"
  • "手机负一屏"
  • "push to Today"
  • "推送到 Today"

环境配置

使用此 skill 前,必须配置环境变量:

openclaw config set skills.entries.push2today.env.AS_TODAY_AUTH_CODE "your_actual_token_here"

重要AS_TODAY_AUTH_CODE 是必填的环境变量,用于接口鉴权。如果未配置,skill 调用将失败。

工具参数

参数类型必填说明
msgIdstring消息 ID,从当前会话上下文自动获取
summarystring任务摘要(64 字符以内)
resultstring执行结果:"任务执行成功""任务执行失败"
contentstring详细内容(长度限制 30717 字符)
scheduleTaskIdstring定时任务 ID,来自定时任务时填写
scheduleTaskNamestring定时任务名称,来自定时任务时填写
sourcestringclaw 类型,固定填写 "openclaw"

result 取值规则

  • 任务执行成功或有有效结果 → "任务执行成功"
  • 任务执行失败或遇到错误 → "任务执行失败"

summary 格式要求

  • 长度:64 字符以内
  • 内容:简洁描述任务核心内容
  • 示例:
    • "代码审查完成,发现 3 个问题"
    • "数据分析完成"
    • "定时任务执行成功"

使用示例

示例 1:普通推送

用户说"帮我推送到负一屏"时,执行:

node scripts/cli.js push2today --msgId "msg-123456" --summary "代码审查完成" --result "任务执行成功" --content "已完成代码审查,发现 3 个潜在问题需要修复..."

示例 2:推送到手机

用户说"帮我推送到手机"或"帮我推送到手机负一屏"时,执行:

node scripts/cli.js push2today --msgId "msg-789012" --summary "数据分析完成" --result "任务执行成功" --content "已完成销售数据分析,本季度增长 15%,环比增长 8%..."

示例 3:定时任务自动推送

定时任务执行完成后自动执行:

node scripts/cli.js push2today --msgId "msg-cron-001" --summary "晨间摘要完成" --result "任务执行成功" --content "已完成今日晨间摘要:天气晴朗,气温 20°C,今日有 3 个会议..." --scheduleTaskId "morning-brief" --scheduleTaskName "晨间摘要" --source "openclaw"

定时任务强制推送规则

所有定时任务执行完成后,必须立即执行 push2today 命令推送结果。

这是强制操作,不需要:

  • ❌ 等待用户确认
  • ❌ 询问是否需要推送
  • ❌ 添加额外说明

直接执行命令:

node scripts/cli.js push2today --msgId "从会话上下文获取" --summary "任务摘要" --result "任务执行成功" --content "详细的任务执行结果..." --scheduleTaskId "定时任务ID" --scheduleTaskName "定时任务名称" --source "openclaw"

约束

  • content 参数长度不能超过 30717 字符
  • summary 长度不能超过 64 字符
  • 未配置 AS_TODAY_AUTH_CODE 环境变量时,返回明确的错误信息
  • 定时任务必须填写 scheduleTaskIdscheduleTaskNamesource

Comments

Loading comments...