Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Daily Briefing
v1.0.0整合天气、日程、待办、新闻和通勤建议,生成工作日早晨核心信息的一条简明晨间简报。
⭐ 0· 44·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to integrate weather, calendar (WeCom), todos (WeCom), and multi-source news, which is coherent in purpose. However, it does not declare any required credentials or config even though the SKILL.md and comments explicitly refer to '企业微信和相关 API' and dependent skills (wecom-schedule, wecom-get-todo-list, web-search-pro). A realistic implementation would require service API keys/tokens for those integrations; omission of those requirements is an incoherence.
Instruction Scope
SKILL.md provides clear high-level instructions for triggering the briefing and lists dependent skills. The included script is conservative: it fetches weather via wttr.in and prints placeholders for calendar/todo/news integrations. Instructions do not tell the agent to read arbitrary files or unspecified environment variables, but they are vague about how to obtain/provide credentials for the dependent integrations. That vagueness grants broad implementation discretion and should be clarified.
Install Mechanism
There is no install spec (instruction-only plus a small shell script). No external installers, downloads, or archive extraction are used. This is low-risk from an installation perspective.
Credentials
The skill declares no required environment variables or primary credential, yet its described functionality (WeCom calendar/todo, news search) inherently needs credentials/API keys. This mismatch could lead implementations to request sensitive tokens later without that being signaled here. Also the script uses wttr.in and may rely on location data (location: auto) which could leak location if implemented to auto-resolve.
Persistence & Privilege
The skill is not always-enabled and uses default autonomous invocation settings. It does not request persistent or system-wide privileges in the provided files. No evidence it attempts to modify other skills or global agent configuration.
What to consider before installing
This skill's purpose (daily morning briefing) is reasonable and the included script is benign, but it advertises integrations (WeCom calendar/todo and third-party news) while declaring no credentials or configuration. Before installing or enabling: 1) Ask the publisher which credentials/config are required and how/where tokens are stored (environment vars, secret store, agent config). 2) Review the dependent skills (wecom-schedule, wecom-get-todo-list, web-search-pro) to see what permissions and credentials they require and whether they'll access calendar/todo content. 3) Be aware that 'location: auto' and the weather call (wttr.in) may expose your location or IP to external services—confirm privacy expectations. 4) Because the source/homepage is unknown, prefer installing in a limited test environment and monitor outbound network calls (to wttr.in and any news/search endpoints). If sensitive corporate calendar/todo data is involved, ensure those integrations meet your org's security policies before granting access.Like a lobster shell, security has layers — review code before you run it.
latestvk97938cc1r4hn2rmccy6ykrcrs83pc69
License
MIT-0
Free to use, modify, and redistribute. No attribution required.