← 返回 Skills 市场

Daily Morning Meeting

Name: Daily Morning Meeting
Author: johnsmithfan

作者 JohnSmithfan · GitHub ↗ · v1.0.1 · MIT-0

linuxdarwinwin32 ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install daily-morning-meeting

功能描述

每日早会自动执行技能。多Agent抓取全网热点，整理成早会简报发送给CEO。

使用说明 (SKILL.md)

每日早会技能

功能说明

每天早上指定时间自动触发（默认9:00）
调用全网搜索能力抓取当日热点新闻、行业要闻、政策动态、财经资讯等重要内容
多Agent协同分析讨论资讯内容，筛选高价值信息
整理成结构清晰、重点突出的早会简报
自动将简报发送给CEO

配置说明

执行时间：可通过cron任务配置自定义执行时间
资讯范围：支持自定义关注的行业、领域关键词
接收人：可配置简报接收人列表

依赖技能

qclaw-cron-skill 定时任务调度
multi-search-engine 全网资讯检索
agent-orchestrator 多Agent协同处理
message 消息推送

手动执行

运行以下命令立即触发早会简报生成：

python C:\Users\Admin\.qclaw\workspace\skills\daily-morning-meeting\main.py

安全使用建议

This skill appears to do what it claims (fetch news, format a briefing, and send it), but it has sloppy/incoherent elements you should resolve before installing on production systems. Specifically: - Confirm provenance: the Source/Homepage are unknown; prefer skills from a trusted author or with a public repo. - Inspect/modify save_path: both scripts hard-code C:\Users\Admin\.qclaw\workspace\ — change this to a correct, intended path for your environment to avoid accidental writes or collisions (and update the SKILL.md example for non-Windows hosts). - Verify the 'message' tool and recipient: ensure the message tool is authorized to send on behalf of the agent and that 'CEO' maps to the intended account; otherwise the skill could send data unexpectedly. - Review dependencies: SKILL.md lists qclaw-cron-skill and agent-orchestrator, but the included code does not invoke an orchestrator. If you plan to use cron/agent orchestration, prefer wiring scheduling/orchestration externally rather than trusting undocumented internal behavior. - Shell invocation hygiene: the Python script builds commands and calls subprocess.run(shell=True). If you adapt the skill to accept user-provided inputs (queries/recipients), ensure inputs are sanitized or avoid shell=True to prevent command injection. - Test in a sandbox: run the skill in an isolated environment, verify it only calls the expected openclaw tools, check what the message tool transmits (media file contents), and confirm no unexpected endpoints are contacted. If you can't verify the author's identity or the behavior of the dependent tools (web_search, message, agent-orchestrator), treat this as untrusted and avoid granting it access to real CEO communications or sensitive environments.

功能分析

Type: OpenClaw Skill Name: daily-morning-meeting Version: 1.0.1 The skill contains a shell injection vulnerability in main.py due to the use of subprocess.run(shell=True) to execute tool calls with string-formatted parameters. Additionally, both main.py and run.js use hardcoded absolute Windows file paths (C:\Users\Admin\...), which is a poor security practice and limits portability. While the logic appears aligned with the stated purpose of news aggregation, the use of unsafe execution methods and hardcoded environment assumptions warrants a suspicious classification.

能力评估

ℹ Purpose & Capability

Name/description, SKILL.md, and code all implement fetching news, deduping, saving a markdown brief, and sending via the 'message' tool — so the core capability matches. However: (1) the SKILL.md claims 'Multi-Agent' orchestration and lists 'agent-orchestrator' as a dependency, but neither main.py nor run.js actually call an orchestrator; (2) SKILL.md and code assume a Windows user path (C:\Users\Admin\.qclaw\workspace\) despite claiming cross-platform OS support. These are coherence issues (sloppy engineering or mis-documentation), not direct proof of malicious intent.

⚠ Instruction Scope

Runtime instructions and the code perform expected actions (search via openclaw web_search, write a file, call message tool). Concerns: both scripts write to a hard-coded user workspace path (C:\Users\Admin...), which may be incorrect on non-Windows hosts and could overwrite user files if altered; the Python version uses subprocess.run with shell=True to execute openclaw CLI commands (shell invocation increases risk if inputs are manipulated); the SKILL.md manual run example uses the Windows path, which is inconsistent with cross-platform claim. The scripts do not read other user files or environment variables beyond these operations.

✓ Install Mechanism

No install spec — it's instruction-only with included code files. Nothing is downloaded or installed during an install step, so there is no remote code fetch risk in the install phase.

✓ Credentials

The skill declares no required environment variables or credentials and the code does not attempt to read secrets or unrelated environment variables. The only sensitive action is sending messages to a recipient labeled 'CEO' via the platform 'message' tool; this requires trusting that tool's authorization but is proportional to the stated purpose.

✓ Persistence & Privilege

always is false and default agent invocation is allowed — normal for skills. The skill does not request permanent system-wide presence or modify other skills' configurations. It writes files into a workspace directory (expected behavior for a briefing generator).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install daily-morning-meeting
安装完成后，直接呼叫该 Skill 的名称或使用 /daily-morning-meeting 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

v1.0.1: frontmatter规范化

元数据

Slug daily-morning-meeting

版本 1.0.1

许可证 MIT-0

累计安装 1

当前安装数 0

历史版本数 1

常见问题