← Back to Skills Marketplace
327
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install jqzx-news-push
Description
每日科技新闻自动推送服务。 **当用户想要「每日科技新闻」「自动推送新闻」「设置新闻定时任务」时使用此技能。** 功能: - 获取机器之心最新科技热榜 - 定时发送到飞书 - 自动保存到 Get笔记 使用此技能前需要配置: - 机器之心 MCP Token - Get笔记 API Key 和 Client ID...
README (SKILL.md)
每日科技新闻推送 Skill
⚠️ 必读 - 首次使用配置
需要配置的环境变量
先检查环境变量:
echo "JI_ZHIXIN_TOKEN: $JI_ZHIXIN_TOKEN"
echo "GETNOTE_API_KEY: $GETNOTE_API_KEY"
echo "GETNOTE_CLIENT_ID: $GETNOTE_CLIENT_ID"
如果环境变量为空,告诉用户需要配置以下内容:
使用此技能需要先配置以下凭证:
1. 机器之心 Token
- 访问 https://mcp.applications.jiqizhixin.com/ 申请 MCP/RSS 服务
- 获取 Token(格式:mcp-sk-xxx)
2. Get笔记 凭证(已有可跳过)
- 访问 https://www.biji.com/openapi 获取
- API Key(格式:gk_live_xxx)
- Client ID(格式:cli_xxx)
3. 飞书用户ID
- 打开飞书 → 点击头像 → 复制用户ID
- 格式:ou_xxx
配置命令(添加到 ~/.bashrc):
export JI_ZHIXIN_TOKEN="你的机器之心Token" export GETNOTE_API_KEY="你的Get笔记API Key" export GETNOTE_CLIENT_ID="你的Get笔记Client ID" export FEISHU_TARGET="你的飞书用户ID"然后运行
source ~/.bashrc使配置生效
功能说明
核心功能
- 获取科技新闻 - 从机器之心 RSS 获取最新热榜
- 飞书推送 - 自动发送到指定飞书用户/群
- 笔记保存 - 自动保存到 Get笔记
- 定时任务 - 每天自动执行
使用方式
| 用户说 | 含义 |
|---|---|
| "推送今天的新闻" | 立即获取并发送 |
| "设置每日新闻" | 配置定时任务 |
| "取消新闻推送" | 删除定时任务 |
| "查看新闻配置" | 显示当前配置状态 |
定时任务设置
告诉用户:设置每天早上 8 点自动推送:
- 创建定时任务:
crontab -e
添加:
0 8 * * * /root/.openclaw/workspace/skills/daily-news-push/scripts/push-news.sh >> /tmp/daily-news.log 2>&1
- 或让用户说"设置每日新闻",我帮他配置
脚本说明
push-news.sh
脚本位置:/root/.openclaw/workspace/skills/daily-news-push/scripts/push-news.sh
功能:
- 获取机器之心 RSS 新闻
- 发送到飞书
- 保存到 Get笔记
- 输出日志
配置检查脚本
位置:/root/.openclaw/workspace/skills/daily-news-push/scripts/check-config.sh
用于检查环境变量是否配置完整。
故障排除
| 问题 | 解决方案 |
|---|---|
| 发送失败 | 检查 FEISHU_TARGET 是否正确 |
| 笔记保存失败 | 检查 GETNOTE_API_KEY 和 CLIENT_ID |
| 获取新闻失败 | 检查 JI_ZHIXIN_TOKEN 是否有效 |
| 定时不执行 | 检查 crontab 是否添加成功 |
安全规则
- 用户凭证仅用于为该用户服务
- 不保存用户 Token 到代码中
- 定时任务日志包含敏感信息,需保护
Usage Guidance
This skill appears to do what it says, but review these before installing:
- Metadata mismatch: package.json and SKILL.md require JI_ZHIXIN_TOKEN, GETNOTE_API_KEY, GETNOTE_CLIENT_ID, and FEISHU_TARGET, but registry metadata showed none — confirm which is authoritative.
- Avoid putting secrets in ~/.bashrc if you can; use a secure secrets store or environment mechanism. Plain env vars can be read by other processes and users.
- The script places the token in the RSS URL (query param). That URL will appear in the command-line of the curl process while it runs and could be exposed via process listings; consider modifying the script to send tokens via headers instead of query strings.
- The SKILL.md echoes environment variables to the console (echo "JI_ZHIXIN_TOKEN: $JI_ZHIXIN_TOKEN"). Remove or change these lines to avoid printing secret values to logs.
- The crontab examples reference /root/.openclaw/... and /tmp/daily-news.log. Running as root or logging to world-readable locations increases risk; run under a dedicated low-privilege user and protect logs.
- Confirm the endpoints (mcp.applications.jiqizhixin.com and openapi.biji.com) and that you trust them. Inspect the scripts locally before allowing the agent to modify crontab or run them.
If these issues are addressed (consistent metadata, no printing of secrets, token passed securely, non-root cron, protected logs), the skill would be coherent with its purpose. Until then treat it with caution.
Capability Analysis
Type: OpenClaw Skill
Name: jqzx-news-push
Version: 1.0.0
The skill is designed to fetch technology news and push it to Feishu and GetNote, but it contains a vulnerability in `scripts/push-news.sh`. The script constructs a JSON payload by directly injecting RSS content into a string template without proper escaping or sanitization, which could lead to broken payloads or API manipulation if the source news content contains special characters (e.g., double quotes). Additionally, the script transmits the `JI_ZHIXIN_TOKEN` as a plaintext URL query parameter, which is a weak security practice for credential handling.
Capability Assessment
Purpose & Capability
The scripts and SKILL.md implement exactly what the description promises (fetch MCP RSS, send to Feishu, save to Get笔记, create a daily cron). However there is an internal naming/metadata mismatch: registry/summary at the top shows no required env vars, while package.json and SKILL.md require JI_ZHIXIN_TOKEN, GETNOTE_API_KEY, GETNOTE_CLIENT_ID, and FEISHU_TARGET. The skill slug/name also differs between 'jqzx-news-push' and 'daily-news-push'. This inconsistency is unexpected and should be clarified.
Instruction Scope
Runtime instructions ask the agent/user to echo environment variables (which will print secret values), add a crontab entry under an absolute root path (/root/.openclaw/...), and optionally let the agent configure the crontab. The push script builds a URL with the token in the query string and calls curl; that token can appear in process arguments or logs. These behaviors are within the stated purpose but introduce avoidable leakage/privilege risks.
Install Mechanism
This is an instruction-only skill with no install spec; only contained scripts are executed by the agent or user. No external archives or downloads are installed by the skill itself.
Credentials
The required environment variables (MCP token, Get笔记 API Key & Client ID, Feishu target) are appropriate for the stated features. However the registry metadata initially claimed 'no required env vars' while package.json and SKILL.md require multiple credentials — that mismatch is a red flag. Also the instructions encourage storing secrets in ~/.bashrc (plain-text environment variables), which is not best practice for sensitive tokens.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. It does instruct creating a cron job (potentially under /root) which grants it persistent, scheduled execution; that is functionally necessary for 'daily push' but increases risk if run as root or without reviewing the script. The agent's ability to autonomously modify crontab is normal for skills but combined with the above issues increases blast radius.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install jqzx-news-push - After installation, invoke the skill by name or use
/jqzx-news-push - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
每日科技新闻推送 Skill v1.0.0
- 初始发布版本。
- 支持获取机器之心最新科技热榜。
- 可定时自动推送新闻到飞书,并同步保存到 Get笔记。
- 提供详细的凭证配置说明和故障排查指南。
- 支持用户通过自然语言设置、取消或查询新闻推送与定时任务。
Metadata
Frequently Asked Questions
What is jqzx-news-push?
每日科技新闻自动推送服务。 **当用户想要「每日科技新闻」「自动推送新闻」「设置新闻定时任务」时使用此技能。** 功能: - 获取机器之心最新科技热榜 - 定时发送到飞书 - 自动保存到 Get笔记 使用此技能前需要配置: - 机器之心 MCP Token - Get笔记 API Key 和 Client ID... It is an AI Agent Skill for Claude Code / OpenClaw, with 327 downloads so far.
How do I install jqzx-news-push?
Run "/install jqzx-news-push" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is jqzx-news-push free?
Yes, jqzx-news-push is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does jqzx-news-push support?
jqzx-news-push is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created jqzx-news-push?
It is built and maintained by bqcldz (@bqcldz); the current version is v1.0.0.
More Skills