ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Daily

v1.2.0

AI 日报 - 自动抓取 LLM/Agent 领域热点信息,生成结构化中文简报。

0· 478·5 current·5 all-time
by@yanhe

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yanhe/ai-daily-cn.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ai Daily" (yanhe/ai-daily-cn) from ClawHub.
Skill page: https://clawhub.ai/yanhe/ai-daily-cn
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: python3, curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ai-daily-cn

ClawHub CLI

Package manager switcher

npx clawhub@latest install ai-daily-cn
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description (collect RSS/Tavily/arXiv and produce a daily report) aligns with the code and scripts, but there are mismatches: the runtime uses an ALIBABA_CLOUD_API_KEY for LLM calls (seen in config/prompts.md and ai_daily.py) but SKILL.md's declared env metadata only lists TAVILY_API_KEY and GITHUB_TOKEN. The scripts also invoke the openclaw CLI ('openclaw sessions send' / 'openclaw cron add'), yet 'openclaw' is not listed as a required binary in SKILL.md or registry metadata. These omissions are incoherent with the declared requirements.
!
Instruction Scope
Runtime instructions and included scripts perform network fetches (RSS, Tavily, arXiv) and call an external LLM endpoint (Alibaba dashscope). The code reads environment variables (TAVILY_API_KEY, GITHUB_TOKEN, and ALIBABA_CLOUD_API_KEY) — but ALIBABA_CLOUD_API_KEY is used without being declared in SKILL.md. There is also a push-to-dingtalk.sh that will send report content to an OpenClaw session with a hard-coded session id (agent:main:dingtalk:group:cid+...), meaning if that script is executed it will post data to that session/channel. The SKILL.md instructions do not fully call out those behaviors or the undeclared env var use.
Install Mechanism
There is no remote download/install step (instruction-only plus bundled scripts). No archive downloads or external installers are executed during install. That reduces supply-chain risk compared to skills that fetch arbitrary code at install time.
!
Credentials
The code expects multiple optional API keys (TAVILY_API_KEY, GITHUB_TOKEN, ALIBABA_CLOUD_API_KEY / ALIBABA key), but the SKILL.md metadata omitted ALIBABA_CLOUD_API_KEY and the registry lists no required env vars. The ALIBABA key grants remote LLM access to content the skill processes (report text, scraped content) — that is a powerful credential and should be explicitly declared. The push script can transmit report fragments to an external session/channel without prompting for credentials in the skill metadata.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. However, it contains an optional push script that will send report contents to a pre-configured OpenClaw/DingTalk session id (hard-coded). That is not automatic by default, but the presence of an embedded session identifier is a privacy/safety concern and should be reviewed before running push-to-dingtalk.sh. The skill does not modify other skills or system-wide configs.
What to consider before installing
What to check before installing or running: - Review and fix undeclared env vars: the code calls an Alibaba LLM endpoint using ALIBABA_CLOUD_API_KEY but SKILL.md/registry metadata does not declare it. If you plan to use remote LLMs, only set that secret after you understand what data will be sent. - Do not run push-to-dingtalk.sh until you verify the destination: the script contains a hard-coded OpenClaw/DingTalk session id; running it will send report contents to that session. Remove or replace the session id with your own, or avoid running the script. - Fix TLS settings: ai_daily.py disables SSL verification (ssl.CERT_NONE); this permits silent man-in-the-middle attacks. Update the code to use default SSL verification (do not set verify_mode to CERT_NONE and keep check_hostname True) before running on sensitive networks. - Ensure required binaries are declared and present: the scripts call the 'openclaw' CLI in push/generation examples but the skill only declares python3 and curl. If you don't have OpenClaw CLI configured, those commands will fail; if you do, be aware they can transmit messages. - Consider running in an isolated environment first (container or sandbox) and inspect logs to confirm what external endpoints receive your data. If you need the skill but not external pushes or remote LLM calls, edit the code to disable push scripts and/or the call_llm function and run in 'local-only' / debug mode. - If you are unsure, ask the skill author to (1) explicitly declare all env vars the code uses (including ALIBABA_CLOUD_API_KEY), (2) remove hard-coded session ids or make them configurable, and (3) re-enable proper SSL verification and document why network calls are necessary.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📰 Clawdis
Binspython3, curl
latestvk974fy03x467a5j8h035h7tyqh81y07m
478downloads
0stars
2versions
Updated 16h ago
v1.2.0
MIT-0
@yanhe
latest
Download

AI Daily - AI 大模型日报

自动从多个异构信息源抓取、筛选、提炼大模型(LLM)和智能体(Agent)领域的 Top 级热点信息与核心论文,生成结构化中文简报。

命令

生成日报

bash {baseDir}/scripts/generate.sh
bash {baseDir}/scripts/generate.sh --date 2026-02-26

查看今日简报

bash {baseDir}/scripts/view.sh today
bash {baseDir}/scripts/view.sh 2026-02-26

手动触发(通过 OpenClaw)

/ai-daily generate

数据源

官方实验室与博客

  • OpenAI, Anthropic, Google DeepMind, Meta AI, Mistral AI, Qwen, AWS ML

深度技术媒体

  • The Batch, Hugging Face, 机器之心,量子位,Distill

X (Twitter) KOL 追踪

  • karpathy, ylecun, _akhaliq 等(通过 Tavily Search)

学术论文

  • arXiv: cs.CL, cs.AI, cs.LG 分类

输出

每日生成 Markdown 格式简报,包含:

  1. 📌 核心大事件总结
  2. 🏢 官方框架更新
  3. 💬 KOL 前沿观点
  4. 📚 必读硬核论文

配置

编辑 {baseDir}/config/sources.json 自定义数据源。

定时任务

建议配置每日 08:00 自动执行:

# crontab -e
0 8 * * * cd /path/to/ai-daily && bash scripts/generate.sh

或在 OpenClaw 中使用 cron skill 设置。

Comments

Loading comments...