← 返回 Skills 市场
497
总下载
1
收藏
4
当前安装
3
版本数
在 OpenClaw 中安装
/install sec-daily-digest
功能描述
Fetches latest articles from CyberSecurityRSS OPML feeds, applies AI/rule-based scoring, merges CVE and major vulnerability events, and generates a bilingual...
安全使用建议
What to consider before installing:
- Provenance: the skill lists Source: unknown and has no homepage; prefer code from a known, verifiable repository or maintainer.
- Credential exposure: despite registry metadata claiming no env vars, the SKILL.md and code require API keys (OpenAI, Gemini, Anthropic) and optionally Twitter keys. Only provide credentials you trust and limit their scope/permissions (use read-only or scoped keys where possible).
- Data leakage: article full-text excerpts and prompts are sent to whichever AI provider you configure. If you will be processing any sensitive content, avoid sending it to third-party LLMs or use a local provider (Ollama) if suitable.
- Persistent state: the skill creates ~/.sec-daily-digest and stores archives, health logs, and sources.yaml. If you want to sandbox it, set SEC_DAILY_DIGEST_HOME to a dedicated directory with limited access.
- Testing: use --dry-run and --no-twitter first to validate behavior without making AI calls or contacting Twitter. Inspect and, if desired, run the test suite (bun test) locally before scheduling automatic runs.
- Email behavior: the skill calls an external gog CLI for sending email if --email is used; that requires installing and authorizing gog separately.
- If you are unsure: review the source code (providers and fetch/enrich code) yourself or ask the author for a trustworthy upstream repository; avoid supplying high-value credentials until provenance is verified.
功能分析
Type: OpenClaw Skill
Name: sec-daily-digest
Version: 0.2.1
The sec-daily-digest skill bundle is a legitimate and well-structured tool designed to generate cybersecurity digests from RSS feeds and Twitter/X sources. It utilizes AI providers (OpenAI, Gemini, Claude, Ollama) for scoring, classification, and summarization, and includes robust features such as historical deduplication, vulnerability event merging, and source health monitoring. The code is transparent, includes an extensive test suite, and lacks any indicators of malicious intent, such as secret exfiltration, unauthorized persistence, or obfuscated payloads. All network activities (fetching RSS/Twitter data and AI API calls) and file operations (writing to ~/.sec-daily-digest) are consistent with its stated purpose of providing security researchers with curated technical intelligence.
能力评估
Purpose & Capability
The SKILL.md and source code clearly require AI provider credentials (OPENAI_API_KEY, GEMINI_API_KEY, ANTHROPIC_API_KEY) and optionally Twitter API keys, and write/read persistent state under ~/.sec-daily-digest. However the registry metadata lists no required env vars or credentials; that mismatch is a red flag. The code's functionality (RSS + Twitter fetching, AI scoring, full-text enrichment, archive & health state, email via gog) is coherent with the described purpose, but the absence of declared credentials in the manifest is inconsistent and unexplained. Also the skill's Source is 'unknown' and there is no homepage, which reduces provenance confidence.
Instruction Scope
The runtime instructions and code perform network fetches (OPML updates, RSS feeds, Twitter backends, full-text HTML fetches) and call third‑party AI APIs with article content. They also create/modify files under ~/.sec-daily-digest (config.yaml, sources.yaml, health.json, archive/*.json) and may invoke the gog CLI for email delivery. These actions are expected for a digest tool, but they do persist data locally and transmit article content to external LLM APIs (which could include sensitive text). There are no instructions that read unrelated system secrets, but SKILL.md/code do access environment variables (not declared in registry).
Install Mechanism
No install spec is provided (instruction-only from the registry perspective) and there are no fetched install artifacts. The package contains source code (TypeScript) and tests but no automatic network installer; risk from install mechanism is low. Note: runtime operations perform HTTP calls and write to disk when executed.
Credentials
The manifest claims no required env vars, but SKILL.md and code require multiple provider keys (OPENAI_API_KEY, GEMINI_API_KEY, ANTHROPIC_API_KEY) and optional Twitter credentials (TWITTERAPI_IO_KEY, X_BEARER_TOKEN). Requiring multiple unrelated provider credentials without declaring them in the registry is disproportionate and inconsistent. The skill will send article content and excerpts to whichever AI provider you configure, which is appropriate for scoring but means those provider keys should be scoped and treated as sensitive. SEC_DAILY_DIGEST_HOME controls state dir and is appropriate.
Persistence & Privilege
The skill writes persistent state to ~/.sec-daily-digest (config, sources, health, archives, opml cache). 'always' is false (normal). Persistent storage and the ability to run on a schedule/cron are expected for this use-case, but combined with network access and API credentials it increases the blast radius if credentials are leaked or the skill is malicious. The skill does not appear to modify other skills' configs or request elevated system privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sec-daily-digest - 安装完成后,直接呼叫该 Skill 的名称或使用
/sec-daily-digest触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.2.1
**Sec Daily Digest v0.2.1: Big update—adds Twitter/X KOL support, archive deduplication, source health monitoring, full-text enrichment, email delivery, and robust configuration.**
- Integrates Twitter/X KOL feeds with dynamic backend selection (supports twitterapi.io and official API).
- Adds article archive for 7d deduplication and scoring; keeps historical logs with auto-expiry.
- Implements source health monitoring and “Health Warnings” section in reports.
- Supports email delivery via `gogcli` with new `--email` CLI flag.
- Introduces full-text enrichment option (`--enrich`) and skipping logic for paywalled or social sites.
- Configuration expanded: new `sources.yaml` for Twitter KOLs; improved CLI and env var control.
- Pipeline and CLI enhanced with stricter fallback logic, new options, improved logging, and detailed output/statistics.
- Adds comprehensive test coverage and new utility modules for Twitter, archiving, email, and health tracking.
v0.2.0
Version 0.2.0
- Introduced modular AI pipeline stages: highlights, scoring, and summary
- Added AI parsing and prompt handling modules for better structure
- Expanded and updated end-to-end and unit tests for new pipeline stages
- Improved markdown report generation logic
- Updated documentation for new pipeline design and usage
v0.1.0
Initial release of sec-daily-digest.
- Fetches latest articles from CyberSecurityRSS OPML feeds, applies AI/rule-based scoring, and generates a bilingual daily digest for cybersecurity researchers.
- Merges articles related to the same CVE or major vulnerability events using semantic clustering and groups all reference links.
- Configurable command-line options: provider, OPML feed, time range, output path, and top-N selection.
- Supports multiple AI providers: OpenAI (default), Gemini, Claude, and Ollama.
- Outputs digest structured as "AI发展", "安全动态", "漏洞专报" sections with key stats displayed in terminal.
元数据
常见问题
Sec Daily Digest 是什么?
Fetches latest articles from CyberSecurityRSS OPML feeds, applies AI/rule-based scoring, merges CVE and major vulnerability events, and generates a bilingual... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 497 次。
如何安装 Sec Daily Digest?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sec-daily-digest」即可一键安装,无需额外配置。
Sec Daily Digest 是免费的吗?
是的,Sec Daily Digest 完全免费(开源免费),可自由下载、安装和使用。
Sec Daily Digest 支持哪些平台?
Sec Daily Digest 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Sec Daily Digest?
由 z3r0yu(@zer0yu)开发并维护,当前版本 v0.2.1。
推荐 Skills