江苏盐城盐南、经开17个网站招标信息
AdvisoryAudited by Static analysis on May 5, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill may use the user's default Feishu app authority to upload files or send messages.
The skill can read the user's local OpenClaw Feishu app credentials from a global config profile, while the registry metadata declares no primary credential or required environment variables.
config_path = os.path.expanduser('~/.openclaw/openclaw.json') ... return account.get('appId'), account.get('appSecret')Declare the Feishu credential requirement clearly, ask the user to choose the app and target chat, and avoid reading global default credentials without explicit consent.
Generated reports could be sent to a Feishu destination the user did not intend if credentials and scheduling are active.
The skill documents uploading report files to Feishu and sending them to fixed group/user IDs, rather than clearly requiring the installing user to set or confirm the recipient.
目标群 ID:`oc_7cecd47c4c8e7fdb5233f8343df7d59f` ... 私发用户 ID:`oc_a06e78cf3e4b06479ec27c54af2a5623` ... 上传:`POST /im/v1/files` ... 发送:`POST /im/v1/messages`
Remove hard-coded recipient IDs or make them explicit user configuration, and require confirmation before first external push.
The skill may continue producing and sending reports on a schedule if the cron job is installed or already active.
The skill describes a persistent daily scheduled task that automatically collects data, generates PDFs, and pushes to Feishu.
Cron 定时任务 ... 调度:每天 `0 7 * * *` ... 执行:采集 + PDF生成 + 飞书群推送
Verify whether the cron job exists, confirm the schedule and recipient, and disable it if automatic sending is not desired.
If the optional relay is installed, the user depends on whatever version is current at install time.
The optional Browser Relay guide uses unpinned Docker/npm packages, which makes exact dependency provenance and reproducibility weaker.
docker pull openclaw/browser-relay:latest ... npm install -g @openclaw/browser-relay
Pin package/image versions and verify the source before installing optional relay components.
Automated crawling could trigger blocking or violate site rules if used aggressively or without permission.
The crawler documentation discusses browser automation, random User-Agent use, and proxies for sites that block scraping.
被拦截网站 ... WAF拦截,需要Playwright ... 反爬策略 ... 使用随机User-Agent ... 必要时使用代理IP
Use conservative rate limits, respect site policies, and avoid anti-bot bypass techniques unless clearly authorized.