ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

报告双通道智能推送

v1.0.0

将分析报告智能摘要推送到微信(≤100字任务清单)+全文推送到QQ邮箱,说'推送报告'时触发

0· 71·0 current·0 all-time
by@liu99012101-bot
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binaries (python3), and required env vars (QQ_MAIL_ACCOUNT, QQ_MAIL_AUTH_CODE, TARGET_QQ_MAIL, WECHAT_PUSH_KEY) align with a report-to-email+WeChat pusher. The SMTP usage for QQ Mail and an HTTP push endpoint for WeChat/PushPlus is consistent with the purpose.
!
Instruction Scope
SKILL.md instructs the agent to perform compliance checks, deduplication, rate limiting, and to generate the ≤100‑char WeChat summary itself. However, the included script does not implement compliance filtering, deduplication, or rate-limiting—these protections are only promised in prose. Also the instructions call python3 {baseDir}/scripts/push_report.py but the repository contains scripts/ush_report.py (filename mismatch) which will break the instructed command unless corrected.
Install Mechanism
No external/binary downloads; installation is a simple pip install requests (requirements.txt present). This is low-risk from an install mechanism standpoint.
!
Credentials
The environment variables requested are appropriate for the stated functionality. However, SKILL.md claims the WECHAT_PUSH_KEY supports both Server酱 (SCT...) and PushPlus tokens, while the script always posts to PushPlus (http://www.pushplus.plus/send). A Server酱 token will not work with that endpoint. Also the script uses plain HTTP for the push endpoint (not HTTPS), which is a minor transport concern.
Persistence & Privilege
always:false and no install-time writes to system configuration or other skills. The skill does not request elevated or persistent platform privileges.
What to consider before installing
This skill mostly does what it says (send mail via QQ SMTP and post to a WeChat push endpoint) and only requires the expected environment variables. Before installing or enabling it: 1) fix or confirm the script path (SKILL.md calls scripts/push_report.py but the code file is scripts/ush_report.py) — otherwise the agent will fail to run the sender; 2) don't assume the promised "built-in" compliance, rate-limiting, or deduplication actually exists — the shipping script does not implement these protections, so ensure the agent enforces them before calling the script or add those checks to the script; 3) verify which WeChat push service you will use — the script always uses PushPlus endpoint, so Server酱-style tokens (SCT...) will not work; 4) note the script uses HTTP for pushplus (consider changing to HTTPS if supported) and truncates summaries locally; 5) test with non-sensitive content and test accounts first (so your real auth codes are not exposed during debug). These inconsistencies explain the "suspicious" rating; they may be benign packaging errors but should be resolved before trusting the skill with real credentials or sensitive reports.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📨 Clawdis
Binspython3
EnvQQ_MAIL_ACCOUNT, QQ_MAIL_AUTH_CODE, TARGET_QQ_MAIL, WECHAT_PUSH_KEY
latestvk977w6dk0ytj7ddpsn2k6jxc1h83pkwp
71downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@liu99012101-bot
latest
Download

报告双通道智能推送 — 微信摘要 & 邮件全文

将分析报告(股票、科技、研究等)差异化推送到两个通道:

  • 微信 → 由 Agent 提炼的 ≤100字 结构化任务清单/重要提示
  • QQ邮箱 → 完整原文(Markdown/纯文本)

内置合规过滤、频率限流、推送去重机制,确保安全高效。

Use When

  • 用户要求将分析报告推送/发送到微信或QQ邮箱
  • 用户说"发送报告""推送结果""通知我""把报告发给我"
  • 上游 Skill 生成报告后需要分发通知
  • 用户明确要求"推送到微信""发到邮箱"

Do NOT Use When

  • 用户只是要求生成报告,但未要求推送
  • 用户要求发送到钉钉、飞书、Telegram 等非微信/QQ邮箱渠道
  • 推送内容包含明显违规信息(色情、暴力、赌博、政治敏感等)
  • 同一报告在 5 分钟内已推送过(防重复)

Prerequisites

  1. QQ邮箱 SMTP 配置

    • QQ_MAIL_ACCOUNT:发件人QQ邮箱地址(如 123456@qq.com
    • QQ_MAIL_AUTH_CODE:QQ邮箱 SMTP 授权码

      ⚠️ 非QQ登录密码!获取路径:QQ邮箱 → 设置 → 账户 → POP3/SMTP服务 → 生成授权码

    • TARGET_QQ_MAIL:收件人QQ邮箱地址

  2. 微信推送配置

    • WECHAT_PUSH_KEY:推送服务 Token

      支持 Server酱(SCT 开头)或 PushPlus(32位字符串)

  3. 运行环境

    • Python 3.7+
    • requests 库:pip3 install requests

Instructions

第一步:接收报告内容

获取用户提供的报告全文及标题。如用户未提供标题,从报告首行或内容摘要生成标题。

第二步:合规预检(你必须执行)

在推送前检查报告内容,如果包含以下内容则拒绝推送并告知用户

  • 色情、暴力、恐怖、赌博相关内容
  • 明确的政治敏感信息
  • 欺诈、虚假、不实或引人误解的信息
  • 他人隐私数据(身份证号、手机号、银行卡号等)

如果内容合规,继续下一步。

第三步:生成微信摘要(你必须执行,不交给脚本)

你需要将报告全文提炼为不超过100字的结构化摘要,严格遵循以下模板:

📊 {报告标题} ▸ 结论:{一句话核心结论} ▸ 待办:{1-3条关键行动项} ▸ ⚠️ {一条风险/重要提示}

示例: 📊 贵州茅台Q3分析 ▸ 结论:营收同比+15%,净利润超预期 ▸ 待办:①关注Q4产能释放 ②12月股东大会 ▸ ⚠️ 注意海外市场汇率波动风险

硬性要求:摘要总字符数(含标点符号和emoji)≤ 100 字。超过则精简。

第四步:调用推送脚本

python3 {baseDir}/scripts/push_report.py \
  --title "报告标题" \
  --summary "第三步生成的微信摘要(≤100字)" \
  --content "完整报告原文" \
  --channel both

参数说明:
--title:报告标题
--summary:微信端推送内容(≤100字结构化摘要)
--content:邮件端推送内容(完整原文)
--channel:both|wechat|email(默认 both)

第五步:解析并反馈
脚本返回 JSON 结果,据此向用户清晰报告:
✅ 各通道推送状态
⚠️ 如有合规过滤,说明过滤原因

basic

#### 2. 创建 `requirements.txt`
在 `report-pusher` 根目录下新建此文件,填入:
```text
requests==2.31.0

Comments

Loading comments...