← Back to Skills Marketplace
73
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install operation-daily-report-claw
Description
运营数据日报虾 — 自动化多平台运营数据采集与日报生成。从抖音、小红书、视频号、B站、微博等平台采集数据,清洗标准化后生成结构化日报,并推送到飞书文档/群聊。 **当以下情况时使用此 Skill**: (1) 需要汇总多个内容平台(抖音/小红书/视频号/B站/微博)的运营数据 (2) 需要生成运营日报、周报、月报...
Usage Guidance
This skill appears to implement the advertised report workflow, but the package metadata hides the real secrets it needs. Before installing: (1) insist the publisher update metadata to list required env vars (DOUYIN_*, XIAOHONGSHU_COOKIE, WEIXIN_CORP_*, BILIBILI_SESSDATA, WEIBO_*, etc.); (2) review scripts locally (they call only known platform endpoints via curl) and run them in an isolated environment or container; (3) avoid pasting long-lived full-account credentials—prefer scoped tokens where possible and rotate cookies/tokens frequently; (4) confirm how Feishu integration is performed (the skill expects external agent tools like feishu_create_doc/message); (5) if you must run on production servers, ensure data/ and .env are permission-restricted and consider limiting network egress or running behind a proxy to monitor outgoing API calls. If the publisher cannot justify the missing metadata or answer how credentials are stored/rotated, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: operation-daily-report-claw
Version: 1.0.0
The skill bundle contains a code injection vulnerability in `scripts/fetch-platform-data.sh`. The script interpolates the `target_date` variable directly into a Python command string (`python3 -c`) without sanitization, which could allow an attacker to execute arbitrary Python code via a crafted date string (e.g., through prompt injection if the agent passes unvalidated user input to the script). While the bundle's stated purpose of automating social media reporting for platforms like Douyin and Xiaohongshu appears legitimate, this lack of input sanitization in a shell-to-python execution context represents a significant security flaw.
Capability Tags
Capability Assessment
Purpose & Capability
The skill claims to aggregate platform metrics and push reports to Feishu, which matches the included scripts. However, the registry metadata lists no required environment variables or primary credential, while the scripts and reference docs clearly expect multiple sensitive credentials (DOUYIN_ACCESS_TOKEN, XIAOHONGSHU_COOKIE, WEIXIN_CORP_ID/SECRET, BILIBILI_SESSDATA, WEIBO_ACCESS_TOKEN, etc.). That omission is an inconsistency: a legitimate aggregator should declare these requirements up front.
Instruction Scope
SKILL.md and the scripts keep to the stated workflow: ask user which platforms, read credentials from a local .env, call platform APIs (curl), normalize JSON, run report generator, then push via Feishu tools. The instructions reference reading a .env and saving files under data/raw and data/reports (expected). They also instruct use of feishu_create_doc and message tools (agent/tool integration) and scheduling via cron. Nothing in the instructions reads unrelated system config or exfiltrates to unknown endpoints.
Install Mechanism
There is no install spec (lower install risk) but the skill bundle includes executable scripts that will run on the host. The fetch script uses curl/jq/python and the report generator requires pandas/jinja2; the package does not declare dependency installation. This is not malicious but means the operator must ensure required binaries and Python packages are installed in a controlled environment.
Credentials
The skill requires multiple high-sensitivity credentials (OAuth tokens, cookies, SESSDATA, corp secrets) for the platforms it integrates with. The registry metadata declares no required env vars — a mismatch that hides the true secrets surface. Using cookies (e.g., XIAOHONGSHU_COOKIE or BILIBILI_SESSDATA) is inherently fragile and sensitive and should be minimized or rotated. The number and sensitivity of env vars is proportionate to the task, but they should be declared and justified in metadata.
Persistence & Privilege
The skill is user-invocable and not forced-always; it does not request elevated platform privileges or modify other skills. It reads/writes files under its own workspace (data/) and suggests optional cron scheduling, which is normal for automation. Autonomous invocation is allowed (platform default) but not combined with other red flags here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install operation-daily-report-claw - After installation, invoke the skill by name or use
/operation-daily-report-claw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
初始发布:多平台运营数据采集与日报生成,支持抖音/小红书/视频号/B站/微博,含异常检测和飞书推送
Metadata
Frequently Asked Questions
What is 运营数据日报虾?
运营数据日报虾 — 自动化多平台运营数据采集与日报生成。从抖音、小红书、视频号、B站、微博等平台采集数据,清洗标准化后生成结构化日报,并推送到飞书文档/群聊。 **当以下情况时使用此 Skill**: (1) 需要汇总多个内容平台(抖音/小红书/视频号/B站/微博)的运营数据 (2) 需要生成运营日报、周报、月报... It is an AI Agent Skill for Claude Code / OpenClaw, with 73 downloads so far.
How do I install 运营数据日报虾?
Run "/install operation-daily-report-claw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 运营数据日报虾 free?
Yes, 运营数据日报虾 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 运营数据日报虾 support?
运营数据日报虾 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 运营数据日报虾?
It is built and maintained by Ricky (@tujinsama); the current version is v1.0.0.
More Skills