筛选并按六大领域分类推送每日 Hugging Face 热门 OFR 相关论文，支持 Markdown 和 Telegram 格式输出。

This package appears to implement its stated function (fetch HF/arXiv papers, classify, and produce Markdown/Telegram text) but there are a few issues to be aware of before installing or running it: - Missing manifest declarations: run_and_send.sh requires TELEGRAM_TARGET (and relies on an openclaw CLI) but the skill metadata lists no required env vars or binaries. If you run that script (or an autonomous agent activates it) it will attempt to send the generated content to whatever TELEGRAM_TARGET is configured via the openclaw messaging client. Confirm you trust the target and the openclaw CLI configuration. - Outbound messaging risk: The repository contains a script that will publish messages to Telegram. If you do not want automated external posting, do not run run_and_send.sh and do not allow the agent to invoke it autonomously. Consider removing or editing that script to require manual confirmation. - Proxy behaviour: generator.py sets a default HTTP_PROXY/HTTPS_PROXY to http://127.0.0.1:7890 unless you override HF_DAILY_PAPERS_PROXY. This will change how network requests are routed (and may fail if you do not run a local proxy). If you have a local proxy that logs traffic, be aware the skill will use it by default. - Minor implementation issues: The helper send script embeds a Python here-doc that uses __file__ (likely to fail when run that way); the message-extraction regexes may not match the generator output — these are functional bugs, not necessarily security issues, but they affect behavior. What to do: inspect or run generator.py locally first (it only contacts huggingface.co and arxiv.org), and manually open the produced files in 'recommendations'. If you want Telegram pushes, review and run run_and_send.sh only after setting TELEGRAM_TARGET and verifying your openclaw messaging configuration. If you do not want external posting, remove or disable run_and_send.sh. If you need higher confidence, ask the publisher to update the skill metadata to declare TELEGRAM_TARGET/OPENCLAW_BIN and to document the send workflow and proxy behavior.

Type: OpenClaw Skill Name: hf-daily-papers-ofr Version: 1.0.0 The skill's code and documentation align with its stated purpose of fetching and categorizing daily papers from Hugging Face and arXiv. It makes legitimate network requests to these academic sources and generates local markdown/text files. While it allows proxy configuration via environment variables (`HF_DAILY_PAPERS_PROXY`), this is a standard practice and not indicative of malicious intent. There is no evidence of data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts against the agent in SKILL.md. The shell scripts use standard commands and handle inputs derived from trusted sources, mitigating shell injection risks.