PaperDaily
ReviewAudited by ClawScan on May 10, 2026.
Overview
PaperDaily’s stated paper-recommendation purpose is plausible, but it requires Feishu app secrets and delegates its real behavior to an unreviewed npm package, so it should be reviewed before installation.
Before installing, review or pin the external `openclaw-paperdaily` npm package, create a dedicated low-permission Feishu app only for this skill, avoid granting broad Feishu permissions, and be prepared to rotate the Feishu secret if anything looks unclear.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill or its dependency could act using the configured Feishu app permissions, potentially affecting the selected Feishu chat or other granted Feishu capabilities.
The setup requires a Feishu app secret and chat ID, but the provided metadata says there are no required env vars or primary credential, and the instructions do not define minimum Feishu permissions.
FEISHU_APP_ID=your_app_id FEISHU_APP_SECRET=your_app_secret FEISHU_CHAT_ID=your_chat_id ... 配置应用权限并发布
Only use a dedicated least-privilege Feishu app and chat, verify the exact permissions needed, and prefer a version that declares these credentials and scopes in metadata.
The actual code that fetches papers and handles Feishu credentials is not visible in this review and could change within the allowed dependency range.
The skill’s own code is a thin wrapper that hands commands to a caret-versioned external npm package whose contents are not included in the reviewed artifacts.
"openclaw-paperdaily": "^0.1.0"; import { processCommand } from '../node_modules/openclaw-paperdaily/dist/src/index.js';Inspect the `openclaw-paperdaily` package source, pin an exact version or use a lockfile, and avoid providing credentials until the dependency provenance and behavior are verified.