Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Morning Report
v1.0.0为SLG手游制作人提供每日涵盖AI与游戏行业资讯、竞品监控、社区反馈、SLG新品测试、STEAM新游及广告数据的行业晨报。
⭐ 0· 36·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (daily SLG industry morning report) align with the SKILL.md: it specifies precise web searches, content structure, and delivery to DingTalk. There are no unrelated env vars, binaries, or install steps requested.
Instruction Scope
SKILL.md stays on-task (search web, collate results, format Markdown for DingTalk). It explicitly requires use of a web search tool and the platform 'message' tool to send to a specific DingTalk target (target: 2735046220840628) and insists the skill must call the message tool to deliver output. That external-send requirement is expected for a publishing skill but increases the importance of reviewing who/what that target ID corresponds to.
Install Mechanism
Instruction-only skill with no install steps, no code files, and no downloads — lowest installation risk.
Credentials
The skill declares no environment variables or credentials, which is proportionate. However, it relies on runtime tools (web search and message sending) that in practice may require credentials or scopes (e.g., DingTalk webhook/token, search API key). These tool permissions are not declared in the metadata and should be verified before enabling.
Persistence & Privilege
always:false and no indication the skill writes persistent config or modifies other skills. Autonomous invocation is allowed (platform default) but not combined here with broad credential requests, so no elevated privilege concerns from metadata alone.
Assessment
This skill appears to do what it says: perform targeted web searches, format a DingTalk-compatible Markdown report, and send it to a DingTalk channel. Before installing, confirm: (1) which DingTalk channel/account corresponds to the hardcoded target ID (2735046220840628) and that you trust that destination; (2) that the agent's message tool is appropriately authorized (and limit that authorization to only the needed channel if possible); (3) what web-search tool will be used and whether it requires API keys or will expose query/content to an external service; and (4) whether you want the agent to be allowed to autonomously send daily reports. To be cautious, test with a non-production/test channel and review the first few reports for sensitive content before enabling regular runs.Like a lobster shell, security has layers — review code before you run it.
latestvk971y8bpzr6ngr8bh8kvfxjg4s841meq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.