← 返回 Skills 市场
678
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install signal-pipeline
功能描述
Marketing intelligence pipeline - gather signals from RSS, X/Twitter, Telegram, and Gmail newsletters. Generate daily posts, weekly summaries, and monthly de...
安全使用建议
Before installing or running: 1) Expect to configure and authorize a 'gog' CLI for Gmail — the skill does not declare that requirement; avoid giving Gmail access if you don't trust the code. 2) Inspect and change hardcoded paths (e.g., /Users/jarvis/.openclaw/workspace/memory/daily_signals/) — those will write into a specific user's home / agent workspace and may persist or be uploaded by the platform. Use a safe, explicit data directory you control. 3) Run the code in a sandboxed environment (isolated VM or container) because it performs web requests (t.me, fxtwitter, sogou) and writes local databases. 4) Consider replacing subprocess.run(..., shell=True) with a safer invocation or verify queries are static (newsletter_monitor uses static queries in code). 5) If you will grant Gmail access, review newsletter_monitor.py carefully to confirm only expected data (subject/sender/date) is extracted and that nothing is exfiltrated to external endpoints. 6) If you want to proceed, update SKILL metadata to declare required binaries (gog) and document Gmail credential needs; remove or parameterize absolute file paths so the skill is not implicitly writing into agent memory.
功能分析
Type: OpenClaw Skill
Name: signal-pipeline
Version: 1.1.0
The skill is classified as suspicious primarily due to a shell injection vulnerability in `newsletter_monitor.py`. This file uses `subprocess.run(shell=True)` with an f-string to construct a command for the `gog` CLI, which could allow arbitrary command execution if the `query` parameter were to be influenced by untrusted input. Although the current `NEWSLETTERS` list contains hardcoded queries, the use of `shell=True` with string interpolation is a significant security flaw. Additionally, `daily_signals.py` contains hardcoded paths like `/Users/jarvis/.openclaw/workspace/memory/daily_signals/` for saving and loading data, which is a vulnerability that could lead to errors or unintended file operations on different systems or user configurations.
能力评估
Purpose & Capability
The code implements RSS, X (FxTwitter), Telegram scraping, and Gmail newsletter extraction — consistent with the description. However the SKILL metadata declares no required binaries or credentials while the runtime relies on an external 'gog' CLI (Gmail access) and network access to third-party services (t.me, fxtwitter, sogou). The absence of those declared requirements is an inconsistency.
Instruction Scope
Runtime instructions and code reference reading Gmail via the gog CLI, scraping external websites, and writing/reading local files. More importantly, daily_signals.py writes and reads JSON from a hardcoded absolute path (/Users/jarvis/.openclaw/workspace/memory/daily_signals/), which is a user-specific and agent-workspace-like location. That path assumption and absolute writes are out-of-scope for a portable skill and could cause privacy/persistence issues.
Install Mechanism
There is no install spec (instruction-only with bundled Python code). No network install of arbitrary archives or remote execute at install time was specified. You must pip-install requirements manually; that's expected for a Python project. Risk from install mechanism is low, but running the code will make network requests and write files.
Credentials
The skill requests no env vars/credentials in metadata, yet newsletter_monitor.py requires a configured 'gog' CLI with Gmail access (which implies OAuth credentials or local tokens). The code also writes into a likely agent memory path under a specific user's home, which gives it implicit access to agent/user workspace. Those required secrets and file access are not declared and are disproportionate to what's advertised.
Persistence & Privilege
The skill is not always-enabled and doesn't modify other skills, but it writes persistent state to local SQLite DBs and to a hardcoded agent-memory-like directory (/Users/jarvis/.openclaw/workspace/memory/...). Writing into an OpenClaw-style workspace/memory directory could cause data to be retained by the agent platform; combined with autonomous invocation (default) this increases persistence and blast radius relative to a self-contained script.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install signal-pipeline - 安装完成后,直接呼叫该 Skill 的名称或使用
/signal-pipeline触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
Added EvoMap-style signal capsules with GDI quality scoring
v1.0.2
Removed personal info from docs
v1.0.1
Added X/Twitter and Gmail newsletter modules
v1.0.0
Initial release
元数据
常见问题
Signal Pipeline 是什么?
Marketing intelligence pipeline - gather signals from RSS, X/Twitter, Telegram, and Gmail newsletters. Generate daily posts, weekly summaries, and monthly de... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 678 次。
如何安装 Signal Pipeline?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install signal-pipeline」即可一键安装,无需额外配置。
Signal Pipeline 是免费的吗?
是的,Signal Pipeline 完全免费(开源免费),可自由下载、安装和使用。
Signal Pipeline 支持哪些平台?
Signal Pipeline 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Signal Pipeline?
由 KF(@mephistophelesbits)开发并维护,当前版本 v1.1.0。
推荐 Skills