Ai Daily
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill could post the generated report and local report path to an unintended DingTalk group using the user's OpenClaw messaging authority.
This script sends the report summary through OpenClaw to a specific hard-coded DingTalk group/session rather than a user-configured destination.
SUMMARY=$(head -60 "$REPORT_FILE") ... openclaw sessions send --session "agent:main:dingtalk:group:cid+sxosobsr081ckhs0jpsqw==" --message "$MESSAGE"
Remove the hard-coded session ID, require the user to configure the destination, and ask for confirmation before sending to any external chat.
A network attacker or proxy could tamper with fetched articles, links, or summaries that appear in the generated report.
The fetcher disables TLS hostname and certificate verification for network requests, reducing integrity protection for HTTPS feeds and APIs.
self.ssl_context.check_hostname = False
self.ssl_context.verify_mode = ssl.CERT_NONEUse the default verified SSL context; if a specific source needs an exception, make it explicit, narrow, and user-configurable.
This may violate source-site expectations or cause blocking; it is not hidden, but users should understand the scraping behavior.
The configuration explicitly notes using a real browser User-Agent to bypass Cloudflare for one source.
"note": "使用真实浏览器 UA 绕过 Cloudflare"
Prefer official RSS/API sources or clearly document any scraping workaround and let users disable it per source.
If enabled, the skill will continue making network requests and writing reports on a schedule until the user removes the job.
The documentation shows how to create a recurring daily job for the skill.
0 8 * * * cd /home/admin/.openclaw/workspace/skills/ai-daily && bash scripts/generate.sh >> /var/log/ai-daily.log 2>&1
Enable scheduled execution only if desired, review the exact command and output path, and keep removal instructions handy.
These keys can grant access to external provider quotas or account features if configured.
The setup guide recommends optional provider credentials for search, LLM processing, and rate-limit improvements.
export TAVILY_API_KEY="tvly-xxxxxxxxxxxxxxxxxxxx" export ALIBABA_CLOUD_API_KEY="sk-xxxxxxxxxxxxxxxxxxxx" export GITHUB_TOKEN="ghp_xxxxxxxxxxxxxxxxxxxx"
Use only the optional keys you need, scope them minimally, and avoid storing broad or personal tokens in shared shell profiles.