Report Builder

v0.1.0

Use when the main operator needs to turn the nightly shortlist into a Telegram morning report with inline approve/reject/later buttons.

⭐ 0· 126·0 current·0 all-time

by@omermesebuken1

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for omermesebuken1/report-builder.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Report Builder" (omermesebuken1/report-builder) from ClawHub.
Skill page: https://clawhub.ai/omermesebuken1/report-builder
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, openclaw
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install report-builder

ClawHub CLI

Package manager switcher

npx clawhub@latest install report-builder

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The skill's stated purpose is Notion -> Telegram reports, which would legitimately require Notion credentials/DB IDs and a Telegram target, but the registry metadata declares no required environment variables or primary credential. The code clearly expects OPENCLAW_NOTION_TOKEN, OPENCLAW_NOTION_DB_PROJECT_IDEAS, OPENCLAW_NOTION_DB_NIGHTLY_RUNS, and OPENCLAW_TELEGRAM_TARGET (among possible others). This mismatch between claimed requirements and actual needs is incoherent and surprising.

Instruction Scope

SKILL.md instructs running the included build and send scripts, which is expected, but those scripts: (1) call out to the Notion API and will fail unless tokens/DB IDs are present, (2) load local environment via an imported loadLocalEnv module, and (3) the sender executes (via node) an absolute path under /Users/dellymac/.openclaw/.../factory_ops.mjs to record deliveries. Running code outside the bundle and importing local helper modules expands scope beyond the described skill and may execute arbitrary local code.

ℹ

Install Mechanism

No install spec (instruction-only) and included JS scripts—no network downloads or package installs are declared. That's lower install risk, but the bundle contains executable scripts that will run with the user's Node and rely on an external 'openclaw' binary.

Credentials

The scripts require sensitive environment variables (Notion bearer token and DB IDs, plus a Telegram target) but the registry declares none. The sender forwards process.env to spawned processes and invokes openclaw with that environment, which could expose unrelated secrets if present. The number and sensitivity of env variables is reasonable for the task, but failing to declare them is a proportionality/Transparency problem.

Persistence & Privilege

The skill is not flagged 'always' and does not request system-wide persistence; however it executes another local skill/script via an absolute path (factory_ops.mjs) and imports a local loadLocalEnv module. That cross-skill/local-code execution increases privilege surface because sending a report triggers execution of code outside this bundle, which is unexpected and potentially dangerous.

What to consider before installing

Before installing or running this skill: (1) expect to provide a Notion API token, two Notion DB IDs (ideas and nightly runs), and a Telegram target—these are required though not declared; (2) review the included scripts carefully—build_report.mjs queries Notion and send_report.mjs spawns the local 'openclaw' binary and also runs a node script at an absolute path (/Users/dellymac/.openclaw/skills/notion-pipeline/scripts/factory_ops.mjs). That last behavior executes code outside the skill and could run arbitrary local logic—verify that target file (or change the code) before use; (3) verify the openclaw CLI behavior and ensure no unrelated secrets in your environment will be forwarded to child processes; (4) ask the publisher to update SKILL.md/registry metadata to list required env vars and to remove/justify calls to external absolute paths (or provide the referenced helper modules inside the bundle). If you cannot inspect or control the referenced local scripts, run this in a sandbox or decline the skill.

✗

scripts/send_report.mjs:115

Shell command execution detected (child_process).

✗

scripts/build_report.mjs:10

Environment variable access combined with network send.

scripts/build_report.mjs:295

File read combined with network send (possible exfiltration).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📨 Clawdis

Binsnode, openclaw

factoryvk970t9v8d9t8gyjg5wpf58gb9s83v2bylatestvk970t9v8d9t8gyjg5wpf58gb9s83v2bytelegramvk970t9v8d9t8gyjg5wpf58gb9s83v2by

126downloads

0stars

1versions

Updated 1mo ago

v0.1.0

MIT-0

report-builder

Use {baseDir}/scripts/send_report.mjs to send the 09:00 Telegram report. Use {baseDir}/scripts/build_report.mjs to deterministically build the payload file before send time.

Input shape

Pass a JSON file with:

date
summary
reportUrl (optional)
ideas: array of { id, title, score, reason, notionUrl }

See {baseDir}/references/report-schema.md.

Usage

node {baseDir}/scripts/build_report.mjs workspace/reports/latest-nightly-report.json
node {baseDir}/scripts/send_report.mjs report.json
node {baseDir}/scripts/send_report.mjs report.json 1565027149

Rules

Keep the report short.
Build phase must leave behind a JSON payload file, even when blocked by missing env or a Notion query error.
Include buttons only for the shortlisted ideas.
Button callbacks must be:
- approve:<ideaId>
- reject:<ideaId>
- later:<ideaId>

Comments

Loading comments...