← Back to Skills Marketplace

Today Task For Xiaoyi Claw

Name: Today Task For Xiaoyi Claw
Author: ganhaiyang3

by Minus One Screen · GitHub ↗ · v1.0.26 · MIT-0

cross-platform ⚠ suspicious

116

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install today-task-for-xiaoyi-claw

Description

小艺claw专用任务结果推送器，当任务完成后将结果推送到负一屏。使用统一的标准数据格式，支持各种类型的任务结果推送。

Usage Guidance

This skill appears to implement its stated function (format task results and POST them to a Huawei endpoint), but there are important red flags you should consider before installing: - Metadata mismatch: The registry metadata claims no credentials or config paths are required, but the code requires a local credential file (~/.openclaw/.xiaoyienv) containing PERSONAL-API-KEY and PERSONAL-UID. Expect to create that file if you run it. - Hard-coded external endpoint: All data are sent to a fixed Huawei URL in the code. You cannot change the destination via metadata; if you need a different endpoint or want to keep data local, you'll have to modify the code. - Secret leakage: The code prints the credential values to the console (it prints the parsed keys). In shared environments or CI this will expose sensitive tokens. Consider editing the code to remove those prints before use (or run in an isolated environment). - Local file access: The skill reads a global user path outside its own directory. If you share the machine or use global credentials for other services, this increases risk. - Logs and records: By default it writes logs and push_records locally; inspect these directories and consider disabling save_records if you don't want local copies. Recommendations: 1. Treat this as suspicious rather than outright malicious; it likely is functional but sloppy. Only install if you trust the author/source. 2. Before running, review and/or modify hiboards_client.read_xiaoyienv and push() to remove any prints of secret values and to allow a configurable credential path or to avoid using global credentials. 3. If you don't trust the default endpoint, modify the code to accept a configurable endpoint (and avoid hard-coded URLs). 4. Run in an isolated environment or container, and avoid supplying production credentials until you've audited the code and removed the secret-printing behavior. 5. If you need the functionality but want lower risk, ask the maintainer to update the skill metadata to declare the required config path and to stop printing secrets, or fork and harden the code yourself.

Capability Analysis

Type: OpenClaw Skill Name: today-task-for-xiaoyi-claw Version: 1.0.26 The skill reads sensitive credentials (PERSONAL-API-KEY and PERSONAL-UID) from a hardcoded path outside its own directory (/home/sandbox/.openclaw/.xiaoyienv) and transmits them to a hardcoded external Huawei Cloud endpoint (dbankcloud.cn). While the SECURITY.md and SKILL.md files transparently document this behavior as necessary for the 'Xiaoyi Claw' integration, the direct access to files in the sandbox home directory and the hardcoding of API endpoints represent significant security risks. It is classified as suspicious rather than malicious because the behavior is documented and the data is sent to a legitimate service provider (Huawei) as part of the stated functionality.

Capability Assessment

⚠ Purpose & Capability

The skill's purpose (pushing task results to 负一屏) matches the code: it formats JSON and POSTs to a hard-coded Huawei endpoint. However the package metadata declares no required config paths or credentials, while the code requires and reads a local credential file (~/.openclaw/.xiaoyienv). That mismatch between declared requirements and actual behavior is incoherent and should be flagged.

⚠ Instruction Scope

SKILL.md and the code instruct the agent to read a local file outside the skill directory for PERSONAL-API-KEY and PERSONAL-UID and POST task data to a hard-coded external endpoint. Reading ~/.openclaw/.xiaoyienv (a user-global path) is outside the skill directory and not declared in metadata. The code also prints the credential values to stdout, leaking secrets to console/logs — this exceeds the narrow purpose of only formatting and pushing task results.

✓ Install Mechanism

No remote install/downloads or unusual installers. It's an instruction+source bundle with normal Python files and a small requirements.txt (requests). No extract-from-URL or third-party packages beyond 'requests' are used.

⚠ Credentials

Access to PERSONAL-API-KEY and PERSONAL-UID is proportionate to sending authenticated requests to the Huawei endpoint. However the skill's manifest claims no required credentials/config, yet the code depends on a user-local credential file. Additionally, the code prints the credential values to stdout (print(f'key "{key}" 存在：{config[key]}')), which risks exposing secrets. The undeclared access to a global user config path is a material inconsistency.

⚠ Persistence & Privilege

The skill is not 'always:true' and does not request elevated platform privileges, which is good. However it reads a global user config path (~/.openclaw/.xiaoyienv) that may contain credentials used by other components — this cross-directory access is not declared and increases blast radius. The skill also creates local logs and push_records by default.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install today-task-for-xiaoyi-claw
After installation, invoke the skill by name or use /today-task-for-xiaoyi-claw
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.26

- 更新了推送与SSE接口的华为云端点URL，采用 celia-claw-drcn.ai.dbankcloud.cn 域名。 - 推送数据结构 msgContent.source 字段要求修正为“小艺 Claw”。 - 文档中统一 endpoint 说明，多出端点/原 endpoint 地址全部替换。 - 其他内容和逻辑未变，依然只支持 JSON 输入文件推送任务结果。

v1.0.25

- 新增备份文件 meta.json 以增强元数据管理安全性。 - 更新文档，明确本地凭证文件（.xiaoyienv）是身份认证的必需条件，并不再默认支持“云端自动获取身份验证”。 - 明确区分 Linux/Mac 与 Windows 用户的凭证及路径配置方式，提升兼容性与使用说明清晰度。 - 强化安全说明：身份凭证需存于本地，网络请求发送到硬编码的华为云端点。 - 其他推送及本地配置逻辑未变，核心功能保持一致。

v1.0.24

today-task-for-xiaoyi-claw 1.0.24 - Skill name updated from "today-task" to "today-task-for-xiaoyi-claw" for clarity and platform specificity. - Meta file (_meta.json) added for improved metadata management. - Removed editor workspace configuration file (.idea/workspace.xml); no impact on skill functionality. - Documentation and configuration unchanged in functionality; no user-facing changes in usage or behavior.

v1.0.23

today-task-for-xiaoyi-claw v1.0.23 - 移除自动更新检查及相关辅助脚本，精简技能功能。 - 不再包含 update_checker、version_manager 等脚本和 UPDATE_SYSTEM.md 说明文件。 - SKILL.md 文档大幅简化，删除更新检测和多余流程说明，仅保留基础推送、输入输出与安全相关内容。 - 推送结果只反馈成功或失败，无版本更新提示和相关命令说明。 - 代码结构更精炼，聚焦核心推送能力。

v1.0.22

today-task-for-xiaoyi-claw v1.0.22 - 改为仅支持 JSON 文件输入任务结果，确保 Markdown 格式完整保留，命令行参数（如 --name、--content）不再支持 - 推送任务结果后，新增智能技能更新检查机制，仅在有更新或出现异常时提示用户 - 推送和更新结果整合显示在对话中，减少无关提示，带来更简洁用户体验 - 优化时间戳处理，强制采用 UTC，避免时区误差，新增时间戳验证方式说明 - 加强推送和本地日志、记录的隐私与安全说明，文档更完善

Metadata

Slug today-task-for-xiaoyi-claw

Version 1.0.26

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 5

Frequently Asked Questions

What is Today Task For Xiaoyi Claw?

小艺claw专用任务结果推送器，当任务完成后将结果推送到负一屏。使用统一的标准数据格式，支持各种类型的任务结果推送。 It is an AI Agent Skill for Claude Code / OpenClaw, with 116 downloads so far.

How do I install Today Task For Xiaoyi Claw?

Run "/install today-task-for-xiaoyi-claw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Today Task For Xiaoyi Claw free?

Yes, Today Task For Xiaoyi Claw is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Today Task For Xiaoyi Claw support?

Today Task For Xiaoyi Claw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Today Task For Xiaoyi Claw?

It is built and maintained by Minus One Screen (@ganhaiyang3); the current version is v1.0.26.

More Skills