← 返回 Skills 市场
82
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install qqbot-daily-news-briefing
功能描述
Generates and delivers automated daily tech and finance news briefings with AI commentary via QQ, Telegram, or Discord using Baidu API or DuckDuckGo search.
安全使用建议
This skill is plausible for generating/delivering news, but several red flags need attention before installing:
- Missing declared dependencies: The generator calls a separate Baidu helper at {WORKSPACE}/skills/baidu-search/scripts/search.py which is not included or mentioned as a required package; ask the author where that comes from or provide it yourself.
- Undeclared environment variables: The registry lists none, but the code and SKILL.md require BAIDU_API_KEY and target-user envs. Treat any API key you set as sensitive.
- Privileged file locations: Scripts default to /root/.openclaw/workspace and /var/log; they will likely fail or require root. Prefer running in a dedicated non-root user or container and update WORKSPACE and log paths accordingly.
- Hardcoded sample target IDs are present in scripts; replace them with your own values before use and verify the target format.
- Persistent scheduling: The skill instructs cron setup and may add OpenClaw cron sessions; verify scheduled jobs after installation and ensure you want the automatic daily deliveries.
- OpenClaw CLI dependency: Delivery methods rely on the openclaw command. Confirm it is installed and configured and that the channels (qqbot/telegram/discord) are authorized.
Recommended next steps before using:
1) Request or locate the missing 'baidu-search' helper and update the README/SKILL metadata to declare it as a dependency. 2) Run the scripts in a sandboxed, non-root environment, updating WORKSPACE and LOG paths to user-owned directories. 3) Remove/replace hardcoded target IDs. 4) Only export BAIDU_API_KEY if you trust the code and prefer per-user (not system-wide) env config. 5) If you cannot confirm the origin of the baidu-search helper or the author, treat the skill as untrusted and avoid giving it production credentials.
功能分析
Type: OpenClaw Skill
Name: qqbot-daily-news-briefing
Version: 1.0.0
The skill is classified as suspicious due to hardcoded recipient identifiers and a significant injection vulnerability. The scripts deliver-briefing.sh and news-deliver-direct.py hardcode a specific target user ID (9C12E02D9038B14FCEDCE1B69AAEAB3F), which overrides user-provided environment variables and directs all generated briefings to a single external account. Furthermore, the delivery mechanism is vulnerable to tag injection; it fetches headlines from external sources via generate-briefing.py and embeds them unsanitized into a message containing the <qqfile> tag. This could allow an attacker to exfiltrate local files by poisoning news results with titles containing malicious tags (e.g., <qqfile>/etc/passwd</qqfile>). The reliance on high-privilege paths (/root/) and the openclaw cron add command also presents a high-risk profile.
能力评估
Purpose & Capability
The skill's stated purpose (news aggregation + delivery) matches the scripts' behavior, but required capabilities are not declared. The code expects a Baidu search helper at {WORKSPACE}/skills/baidu-search/scripts/search.py (invoked via subprocess) even though the package/README/SKILL metadata do not declare this dependency. Scripts also assume OpenClaw CLI availability for delivery. The registry metadata lists no required env vars or credentials, yet the runtime expects BAIDU_API_KEY and target-user/channel settings. These mismatches mean the skill will fail or behave unexpectedly unless external dependencies and credentials are provided.
Instruction Scope
SKILL.md instructs adding environment variables (BAIDU_API_KEY, NEWS_TARGET_USER / QQ_TARGET_USER) and setting cron jobs and editing scripts — which is reasonable — but it does not document the required external baidu-search script path referenced at runtime. The instructions also direct writing/reading from system-wide locations (/etc/profile.d, /var/log, /root/.openclaw/workspace) and creating cron jobs; these have system-wide effects and require appropriate privileges. There is no instruction to install or verify the external 'baidu-search' skill or the OpenClaw CLI; the code will invoke those without checking for presence.
Install Mechanism
There is no install spec (instruction-only install) — the lowest install risk — and all code is included in the bundle. That reduces risk from arbitrary downloads. However, the scripts expect external artifacts (OpenClaw CLI and a separate baidu-search script under WORKSPACE/skills) which are not provided; this is an operational/consistency gap rather than a network-install risk.
Credentials
Registry metadata claims no required env vars or primary credential, but SKILL.md and code clearly use BAIDU_API_KEY and target-user variables (NEWS_TARGET_USER / QQ_TARGET_USER). The skill also writes logs to /var/log and stores files under /root/.openclaw/workspace, implying elevated privileges. Asking users to place API keys in system-wide /etc/profile.d or /etc/environment is more privileged than necessary and should be optional/explicit. The skill exposes hardcoded sample target IDs in scripts which should be removed or clearly documented.
Persistence & Privilege
always:false (normal). The skill's instructions encourage persistent scheduling via system cron and the delivery script (and news-deliver-direct.py) may schedule OpenClaw cron sessions automatically. That creates persistent scheduled behavior, which is consistent with its purpose. Still, because the scripts write to system paths (/var/log, /root workspace) and may schedule tasks, you should review and run them in a controlled environment (non-root or container) before deployment.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qqbot-daily-news-briefing - 安装完成后,直接呼叫该 Skill 的名称或使用
/qqbot-daily-news-briefing触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Major update: Complete rework into an automated news briefing generator and delivery system with scheduled aggregation, dual-search support, and cross-channel delivery.
- Fully automated daily news briefing generation and scheduled delivery via cron jobs.
- Dual-search: Baidu API integration (preferred) with automatic fallback to DuckDuckGo (no API key needed).
- Flexible multi-channel delivery: QQBot, Telegram, Discord supported via script configuration.
- Modular scripts for news generation (with AI commentary) and robust delivery, with sample queries for tech and finance news in China and globally.
- Easy environment-based customization: set user/channel, article count, queries, and delivery time.
- Comprehensive setup guides (CONFIGURATION.md), API usage, and template samples included.
元数据
常见问题
qqbot-daily-news-briefing 是什么?
Generates and delivers automated daily tech and finance news briefings with AI commentary via QQ, Telegram, or Discord using Baidu API or DuckDuckGo search. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 82 次。
如何安装 qqbot-daily-news-briefing?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qqbot-daily-news-briefing」即可一键安装,无需额外配置。
qqbot-daily-news-briefing 是免费的吗?
是的,qqbot-daily-news-briefing 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
qqbot-daily-news-briefing 支持哪些平台?
qqbot-daily-news-briefing 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 qqbot-daily-news-briefing?
由 propn(@propn)开发并维护,当前版本 v1.0.0。
推荐 Skills