← 返回 Skills 市场
73
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install operation-daily-report-claw
功能描述
运营数据日报虾 — 自动化多平台运营数据采集与日报生成。从抖音、小红书、视频号、B站、微博等平台采集数据,清洗标准化后生成结构化日报,并推送到飞书文档/群聊。 **当以下情况时使用此 Skill**: (1) 需要汇总多个内容平台(抖音/小红书/视频号/B站/微博)的运营数据 (2) 需要生成运营日报、周报、月报...
安全使用建议
This skill appears to implement the advertised report workflow, but the package metadata hides the real secrets it needs. Before installing: (1) insist the publisher update metadata to list required env vars (DOUYIN_*, XIAOHONGSHU_COOKIE, WEIXIN_CORP_*, BILIBILI_SESSDATA, WEIBO_*, etc.); (2) review scripts locally (they call only known platform endpoints via curl) and run them in an isolated environment or container; (3) avoid pasting long-lived full-account credentials—prefer scoped tokens where possible and rotate cookies/tokens frequently; (4) confirm how Feishu integration is performed (the skill expects external agent tools like feishu_create_doc/message); (5) if you must run on production servers, ensure data/ and .env are permission-restricted and consider limiting network egress or running behind a proxy to monitor outgoing API calls. If the publisher cannot justify the missing metadata or answer how credentials are stored/rotated, treat the skill as untrusted.
功能分析
Type: OpenClaw Skill
Name: operation-daily-report-claw
Version: 1.0.0
The skill bundle contains a code injection vulnerability in `scripts/fetch-platform-data.sh`. The script interpolates the `target_date` variable directly into a Python command string (`python3 -c`) without sanitization, which could allow an attacker to execute arbitrary Python code via a crafted date string (e.g., through prompt injection if the agent passes unvalidated user input to the script). While the bundle's stated purpose of automating social media reporting for platforms like Douyin and Xiaohongshu appears legitimate, this lack of input sanitization in a shell-to-python execution context represents a significant security flaw.
能力标签
能力评估
Purpose & Capability
The skill claims to aggregate platform metrics and push reports to Feishu, which matches the included scripts. However, the registry metadata lists no required environment variables or primary credential, while the scripts and reference docs clearly expect multiple sensitive credentials (DOUYIN_ACCESS_TOKEN, XIAOHONGSHU_COOKIE, WEIXIN_CORP_ID/SECRET, BILIBILI_SESSDATA, WEIBO_ACCESS_TOKEN, etc.). That omission is an inconsistency: a legitimate aggregator should declare these requirements up front.
Instruction Scope
SKILL.md and the scripts keep to the stated workflow: ask user which platforms, read credentials from a local .env, call platform APIs (curl), normalize JSON, run report generator, then push via Feishu tools. The instructions reference reading a .env and saving files under data/raw and data/reports (expected). They also instruct use of feishu_create_doc and message tools (agent/tool integration) and scheduling via cron. Nothing in the instructions reads unrelated system config or exfiltrates to unknown endpoints.
Install Mechanism
There is no install spec (lower install risk) but the skill bundle includes executable scripts that will run on the host. The fetch script uses curl/jq/python and the report generator requires pandas/jinja2; the package does not declare dependency installation. This is not malicious but means the operator must ensure required binaries and Python packages are installed in a controlled environment.
Credentials
The skill requires multiple high-sensitivity credentials (OAuth tokens, cookies, SESSDATA, corp secrets) for the platforms it integrates with. The registry metadata declares no required env vars — a mismatch that hides the true secrets surface. Using cookies (e.g., XIAOHONGSHU_COOKIE or BILIBILI_SESSDATA) is inherently fragile and sensitive and should be minimized or rotated. The number and sensitivity of env vars is proportionate to the task, but they should be declared and justified in metadata.
Persistence & Privilege
The skill is user-invocable and not forced-always; it does not request elevated platform privileges or modify other skills. It reads/writes files under its own workspace (data/) and suggests optional cron scheduling, which is normal for automation. Autonomous invocation is allowed (platform default) but not combined with other red flags here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install operation-daily-report-claw - 安装完成后,直接呼叫该 Skill 的名称或使用
/operation-daily-report-claw触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
初始发布:多平台运营数据采集与日报生成,支持抖音/小红书/视频号/B站/微博,含异常检测和飞书推送
元数据
常见问题
运营数据日报虾 是什么?
运营数据日报虾 — 自动化多平台运营数据采集与日报生成。从抖音、小红书、视频号、B站、微博等平台采集数据,清洗标准化后生成结构化日报,并推送到飞书文档/群聊。 **当以下情况时使用此 Skill**: (1) 需要汇总多个内容平台(抖音/小红书/视频号/B站/微博)的运营数据 (2) 需要生成运营日报、周报、月报... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 73 次。
如何安装 运营数据日报虾?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install operation-daily-report-claw」即可一键安装,无需额外配置。
运营数据日报虾 是免费的吗?
是的,运营数据日报虾 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
运营数据日报虾 支持哪些平台?
运营数据日报虾 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 运营数据日报虾?
由 Ricky(@tujinsama)开发并维护,当前版本 v1.0.0。
推荐 Skills