← Back to Skills Marketplace

科技投资日报

Name: 科技投资日报
Author: ilove323

by ilove323 · GitHub ↗ · v1.1.0

cross-platform ⚠ suspicious

459

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install tech-invest-daily

Description

科技行业投资日报生成与推送。当用户要求生成科技投资日报、发送每日投资报告、或cron定时触发日报任务时使用。自动抓取财联社实时新闻、获取涉及上市公司股价、生成深度分析报告并通过飞书一条消息发送完整Markdown报告，同时生成PDF附件。

Usage Guidance

This skill will attempt to read your platform's OpenClaw config (/root/.openclaw/openclaw.json) to extract Feishu appId/appSecret and then use those to get a tenant token and upload/send PDFs — but it does not declare that requirement. Before installing: (1) do not assume credentials are safe to share — inspect /root/.openclaw/openclaw.json and confirm whether it contains sensitive tenant credentials. (2) Ask the author to explicitly declare required credentials or change the skill to request Feishu credentials at configuration time rather than silently reading platform config. (3) Verify presence and origin of the referenced md2pdf-weasyprint conversion script and any fonts; these dependencies are required but not installed by the skill. (4) If you must run it, run in an isolated environment or a dedicated account with limited Feishu privileges, and rotate Feishu credentials after testing. (5) If you cannot validate these points, treat the skill as untrusted and avoid giving it access to platform/global config.

Capability Analysis

Type: OpenClaw Skill Name: tech-invest-daily Version: 1.1.0 The skill is classified as suspicious due to critical prompt injection vulnerabilities in `SKILL.md`. The AI agent is instructed to execute shell commands (`python3` and `bash`) where arguments (such as stock codes for `scripts/report.py` and file paths for the `md2pdf-weasyprint` script) are constructed by the agent. If an attacker can craft a prompt that causes the agent to include shell metacharacters (e.g., `;`, `$()`) in these arguments, it could lead to arbitrary command execution (shell injection).

Capability Assessment

⚠ Purpose & Capability

The skill claims no required credentials/config, but the SKILL.md and embedded code expect platform-local files and secrets (e.g., /root/.openclaw/openclaw.json for Feishu appId/appSecret and a md2pdf-weasyprint script under /root/.openclaw/workspace/skills/…). Accessing other agent/platform config is outside the declared purpose and requirements.

⚠ Instruction Scope

Instructions explicitly tell the agent to read /root/.openclaw/openclaw.json to obtain Feishu credentials, to execute a Python snippet that posts to Feishu, and to call a conversion script at /root/.openclaw/workspace/skills/md2pdf-weasyprint/scripts/convert-weasyprint.sh. These operations access undeclared config and other skill workspaces and give the skill authority to use tenant-level Feishu credentials.

ℹ Install Mechanism

No install spec is provided (instruction-only plus included scripts). That lowers installation risk, but SKILL.md and scripts rely on external tools/environments (curl, pandoc/weasyprint, md2pdf-weasyprint script, fonts at /tmp/NotoSansCJK.ttf) that are not declared — functional mismatch rather than direct supply-chain download risk.

⚠ Credentials

Declared requirements list no credentials or config paths, yet the runtime instructions read platform config for Feishu app_id/app_secret and use them to obtain a tenant_access_token and upload files. That is disproportionate: the skill uses sensitive tenant credentials without declaring them or asking the user explicitly.

⚠ Persistence & Privilege

always:false (normal), but the skill instructs reading a global agent config file (/root/.openclaw/openclaw.json) which may contain other channels/credentials. Accessing that global config is a privilege beyond the skill's stated scope and could expose secrets belonging to the platform or other skills.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install tech-invest-daily
After installation, invoke the skill by name or use /tech-invest-daily
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.0

PDF生成改用md2pdf-weasyprint，完美支持中文

Metadata

Slug tech-invest-daily

Version 1.1.0

License —

All-time Installs 2

Active Installs 2

Total Versions 1

Frequently Asked Questions

What is 科技投资日报?

科技行业投资日报生成与推送。当用户要求生成科技投资日报、发送每日投资报告、或cron定时触发日报任务时使用。自动抓取财联社实时新闻、获取涉及上市公司股价、生成深度分析报告并通过飞书一条消息发送完整Markdown报告，同时生成PDF附件。 It is an AI Agent Skill for Claude Code / OpenClaw, with 459 downloads so far.

How do I install 科技投资日报?

Run "/install tech-invest-daily" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 科技投资日报 free?

Yes, 科技投资日报 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does 科技投资日报 support?

科技投资日报 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 科技投资日报?

It is built and maintained by ilove323 (@ilove323); the current version is v1.1.0.

More Skills