← 返回 Skills 市场

Daily Antifraud Report

Name: Daily Antifraud Report
Author: wdl2005

作者 wdl2005 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

189

总下载

当前安装

版本数

在 OpenClaw 中安装

/install daily-antifraud-report

功能描述

每天早上生成反诈简报：查询中国国内银行以及支付机构等反欺诈新闻，需要详细的反诈信息。 Use when: 用户说"生成今日反诈简报"，或 cron 在早上 8 点触发。 NOT FOR: 国外银行或金融机构的新闻。

使用说明 (SKILL.md)

Daily Anti-Fraud Report

When to Run

每天 8:00 AM 通过 cron 触发
用户主动说「给我今天的反诈简报」「今天有什么反诈热点」

Workflow

查看中国国内的反诈新闻：查看过去一周的中国国内银行及金融支付机构的反诈新闻（中国新闻网、中国人民银行网站、百度、知乎、微信公众号等）
分析发生的具体案例信息：获取发生时间、具体作案过程、银行名称、涉案金额等。
整合输出以下格式，推送飞书

Output Format

{案例时间}{具体案例过程}{银行名称}{涉案金额}{其他信息}
...

安全使用建议

This skill's goal (daily Chinese anti-fraud brief) is reasonable, but there are important gaps and ambiguities: it mentions scraping WeChat public accounts and pushing reports to Feishu but supplies only a simple Baidu-scraping shell script and declares no credentials. Before installing, ask the publisher to: (1) explain how Feishu posting will be authenticated and add explicit env var names (e.g., FEISHU_TOKEN) if needed; (2) clarify how 微信公众号 content will be accessed (API vs scraping) and provide code or required credentials; (3) add robust scraping/parsing (and rate-limiting and robots.txt/legal checks) rather than brittle HTML greps; (4) fix portability issues (grep -P dependency) or implement a more portable parser. Do not provide production credentials or secrets until integrations and required env vars are explicit and reviewed. If you plan to run it, test in an isolated environment and monitor outbound network activity.

功能分析

Type: OpenClaw Skill Name: daily-antifraud-report Version: 1.0.0 The skill is designed to generate anti-fraud reports by scraping Chinese news sites, but it contains a shell injection vulnerability in `scripts/search_cn.sh`. The script passes the `$QUERY` variable directly into a `curl` command without sanitization or proper quoting, which could allow for arbitrary command execution if the input is manipulated. While the workflow in `SKILL.md` aligns with the stated purpose, the lack of input handling in the shell script poses a security risk.

能力评估

⚠ Purpose & Capability

The SKILL.md says gather detailed items from sources including 中国新闻网, 人民银行网站, 百度, 知乎, 以及微信公众号 and then push the report to 飞书. The only shipped code is a simple Baidu HTML-scraping script (scripts/search_cn.sh). There is no code or declared env vars to read WeChat public account content or to authenticate/post to Feishu, so required capabilities for the stated workflow are missing.

⚠ Instruction Scope

Instructions ask the agent to collect detailed case-level data (times, modus operandi, bank names, amounts) and to push results to Feishu. The SKILL.md grants broad discretion about sources (including 微信公众号) but provides no safe, authenticated mechanisms. The included script only performs an unauthenticated Baidu search and then extracts links/titles; it does not implement the richer data collection or the Feishu push described.

✓ Install Mechanism

No install spec — instruction-only with a small helper script. This is low-risk from an install perspective. Minor portability note: the script uses grep -oP (Perl regex) which is not available in all environments and may fail on some systems.

⚠ Credentials

SKILL.md references pushing to Feishu and reading WeChat public accounts, which normally require tokens or API credentials, yet requires.env and primary credential fields are empty. The absence of declared env vars for Feishu/WeChat is an incoherence: either the skill expects credentials to be provided ad-hoc (risk of ad hoc secret entry) or the integration is missing.

✓ Persistence & Privilege

always is false and there are no install scripts or config writes. Autonomous invocation is allowed (platform default) but there is no requested persistent privilege. No evidence the skill modifies other skills or system settings.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install daily-antifraud-report
安装完成后，直接呼叫该 Skill 的名称或使用 /daily-antifraud-report 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of daily-antifraud-report skill: - Automatically generates a daily anti-fraud news briefing every morning at 8:00 AM or upon user request. - Focuses exclusively on anti-fraud news related to Chinese domestic banks and payment institutions. - Gathers and summarizes incident details: date, case process, bank involved, amount, and relevant information. - Outputs the report in a standardized, structured format for easy distribution.

元数据

Slug daily-antifraud-report

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题