← 返回 Skills 市场
610
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install oc-daily-business-report
功能描述
Generate daily business briefings from multiple data sources. Aggregates weather, crypto prices, news headlines, system health, and calendar events into a fo...
安全使用建议
This skill appears to do what it says, but review these practical points before installing:
- Network calls: The script performs outbound HTTP(S) requests to public APIs (wttr.in, api.coingecko.com, api.quotable.io, and optionally newsdata.io). If you operate in a restricted environment, confirm these endpoints are allowed.
- Local storage: It creates and reads a config file at ~/.daily-report/config.json (or the directory set by REPORT_CONFIG_DIR). If you store a NewsData.io API key there, it will be saved in plain JSON; consider file permissions and whether you want credentials stored on disk.
- System info: The script reads disk usage and /proc/meminfo to report system health. That exposes basic resource usage which could be sensitive if reports are forwarded externally.
- Delivery/cron: The SKILL.md/README show examples of scheduling and say 'send the result' — the bundled code does not itself send reports to messaging services. If you wire this into a cron/job that forwards output (e.g., email, chat, webhook), review and secure the delivery target to avoid leaking internal data.
- Test locally first: Run the provided test commands and inspect the generated output and the config file before enabling automation. If you need encrypted or centrally managed API keys, avoid placing them in the plain config JSON and instead use a secrets manager or environment with restricted access.
If you want, I can scan the remainder of the script (the truncated part) for any unexpected behavior or help draft a safe deployment checklist.
功能分析
Type: OpenClaw Skill
Name: oc-daily-business-report
Version: 1.0.0
The skill's `scripts/report.py` file contains a Server-Side Request Forgery (SSRF) vulnerability. User-controlled inputs (e.g., `city`, `crypto` IDs, `news_country`) are directly concatenated into API URLs without robust sanitization. This could allow an attacker, via prompt injection against the OpenClaw agent, to force the script to make requests to arbitrary internal or external hosts, potentially leading to information disclosure or interaction with internal services. While this is a significant vulnerability, there is no clear evidence of intentional malicious behavior such as data exfiltration, persistence, or unauthorized remote control.
能力评估
Purpose & Capability
Name/description (daily business briefing) matches the included script: it fetches weather (wttr.in), crypto (CoinGecko), quotes, optional NewsData.io headlines, and local system stats. Minor mismatch: README/promotional text mentions sending reports via WhatsApp/other delivery channels, but the included script does not implement any outbound delivery (it only generates and can write files); this is a documentation/feature mismatch rather than malicious behavior.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python script with well-scoped commands (generate, config, test). The example integration suggests cron scheduling and says 'send the result' — the skill itself doesn't include messaging/delivery code, so users should be aware that delivery must be implemented separately and that scheduling automation could forward generated reports to other systems if configured elsewhere.
Install Mechanism
Instruction-only skill with no install spec and a small pure-Python script that relies on the stdlib urllib and shutil; nothing is downloaded or written to system locations beyond the user's config directory.
Credentials
The skill requests no environment variables or credentials. It does respect REPORT_CONFIG_DIR if provided and otherwise writes config to ~/.daily-report/config.json — that file may contain an optional NewsData.io API key if you set one, so credentials would be stored locally. The script reads /proc/meminfo and disk usage for system stats (expected for 'system' section).
Persistence & Privilege
always is false and the skill does not request persistent elevated privileges or modify other skills' configs. It only persists its own config under a user-owned directory.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install oc-daily-business-report - 安装完成后,直接呼叫该 Skill 的名称或使用
/oc-daily-business-report触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of daily-business-report skill.
- Generates daily business briefings by aggregating data from weather, crypto, news, quotes, system health, and calendar events.
- Supports easy configuration and flexible output formats (JSON, markdown).
- Includes commands for generating full or partial reports, configuring preferences, and testing data sources.
- No API keys required for core features; optional for expanded news headlines.
- Designed for integration with platforms like OpenClaw and cron scheduling.
元数据
常见问题
Daily Business Report 是什么?
Generate daily business briefings from multiple data sources. Aggregates weather, crypto prices, news headlines, system health, and calendar events into a fo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 610 次。
如何安装 Daily Business Report?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install oc-daily-business-report」即可一键安装,无需额外配置。
Daily Business Report 是免费的吗?
是的,Daily Business Report 完全免费(开源免费),可自由下载、安装和使用。
Daily Business Report 支持哪些平台?
Daily Business Report 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Daily Business Report?
由 mariusfit(@mariusfit)开发并维护,当前版本 v1.0.0。
推荐 Skills