Fund News Summary
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may keep running every day and produce/send reports even when the user did not just ask for one.
The skill declares recurring background execution, but the artifacts do not show clear opt-in, disable, or per-run review controls.
This skill is bound to the `DailyFundNews` cron job, executing automatically at **11:00 Beijing Time** daily.
Require explicit user opt-in for the cron job, document how to disable it, and avoid external sends or pushes during scheduled runs unless separately approved.
Generated reports could be posted to the wrong Telegram destination or committed to a GitHub repo without the user reviewing them first.
The instructions call for messaging and repository mutation, but do not specify approval, destination verification, dry-run behavior, or rollback.
Send to Telegram: Send the script output directly to Telegram ... Auto GitHub push: Automatically pushes to GitHub after generation
Show the exact Telegram recipient and GitHub repo/branch before sending or pushing, and require confirmation for each external write.
It may use whatever GitHub credentials are already present in the environment, and users may not realize which account or repo will be affected.
The skill expects authenticated GitHub access to push to a hard-coded repository, while the registry metadata declares no primary credential or required environment variables.
GitHub push fails - Cause: Network issue or authentication expired ... GitHub repo: `https://github.com/YonghaoZhao722/yonghao-notes`
Declare the required credentials and scopes, use a dedicated least-privilege token, and make the target repository configurable by the user.
Installing or running this skill may execute additional code from another local skill or directory that the user has not reviewed.
The script invokes an external qveris helper that is not included in this skill's manifest or install spec, so its provenance and behavior are not reviewable here.
QVERIS_PATH = os.path.join(os.path.dirname(__file__), "../qveris") ... cmd = ["python3", "scripts/qveris_tool.py", "execute", tool_id, ...]
Declare qveris as a dependency, pin or include the required helper, and document exactly what external tool permissions it needs.
Reports can reveal the user's market interests or watchlist and may be delivered outside the intended audience.
The skill sends generated fund/news reports to an unspecified Telegram destination, leaving the external data boundary unclear.
Send to Telegram: Send the script output directly to Telegram
Require the Telegram chat/channel to be explicitly configured and displayed before sending, and avoid automatic delivery unless enabled by the user.
Old or inaccurate generated summaries could remain in the user's notes and influence later research.
The skill persistently stores generated summaries in an Obsidian vault, which is purpose-aligned but may later be reused, synced, or trusted as context.
Obsidian save path: `/root/clawd/obsidian-vault/reports/fund/YYYY-MM-DD.md`
Keep the vault location configurable, label generated reports clearly, and review them before syncing or reusing them as trusted notes.