Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
每日简报生成器
v1.0.0每日简报生成器。自动聚合多个信息源(RSS、网页、Tavily搜索),生成结构化每日简报,支持定时推送。当用户需要:生成每日行业简报、汇总多渠道资讯、制作早报/晚报、定时推送简报给团队时使用此技能。
⭐ 0· 62·0 current·0 all-time
byxuyongliang@xuyongliang-eccom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description and SKILL.md claim multi-source aggregation (RSS, webpage scraping, Tavily) and scheduled push to enterprise channels, but the repository only contains scripts/generate_briefing.py which calls a Tavily search helper. There is no RSS parsing or web-scraping code, and the referenced scripts/schedule_briefing.py is not included. Metadata declares no required env vars, yet the code expects TAVILY_API_KEY. These mismatches indicate the implementation does not match the claimed purpose.
Instruction Scope
SKILL.md instructs users to subscribe RSS via feeds.txt, run generate_briefing.py with --rss, and use schedule_briefing.py to set up cron-like pushes to WeCom/Feishu/DingTalk. The available script does not implement RSS handling or any push/scheduling functionality — it only queries Tavily and writes output. The instructions therefore grant broader capabilities than the code actually performs, which is misleading and may cause unexpected behavior if users follow them.
Install Mechanism
There is no install spec (instruction-only plus one script) — low friction and lower disk-write risk. The script attempts to import a third-party 'tavily' package; if missing it returns an instruction to 'pip install tavily-python'. The skill does not include guidance or pinned dependency info for that package. Requiring users to install an unvetted package is a modest risk and should be clarified.
Credentials
Metadata declares no required environment variables, but generate_briefing.py reads TAVILY_API_KEY from the environment to call Tavily. Requesting a single API key would be reasonable for Tavily integration, but the fact it is not declared in the skill metadata is an inconsistency that should be corrected. No other env vars are accessed.
Persistence & Privilege
The skill does not request persistent presence (always: false), does not modify agent/system configuration, and does not declare any special config paths. No elevated persistence privileges are requested.
What to consider before installing
This skill's docs promise RSS/web scraping and scheduled push features, but the shipped code only performs Tavily searches and expects a TAVILY_API_KEY (not declared in metadata). Before installing or running: 1) Ask the publisher for the missing schedule_briefing.py and any RSS/web-scraping code, or for an explanation why those features are documented but absent. 2) Require the author to declare TAVILY_API_KEY in the skill metadata and document exactly how the Tavily client is used (network endpoints, scopes). 3) Inspect the 'tavily' package on PyPI (or vendor) before running 'pip install'—avoid installing unknown packages on production systems. 4) Run the script in an isolated/sandbox environment and review network activity if you decide to test it. 5) If you cannot obtain clarification, do not grant this skill access to production data or credentials. Providing the missing files or corrected metadata would increase confidence that the skill is coherent.Like a lobster shell, security has layers — review code before you run it.
automationvk97cf8krns4f74necxwhhs1w7x83nmrbbriefingvk97cf8krns4f74necxwhhs1w7x83nmrbdailyvk97cf8krns4f74necxwhhs1w7x83nmrblatestvk97cf8krns4f74necxwhhs1w7x83nmrbnewsvk97cf8krns4f74necxwhhs1w7x83nmrb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.