← 返回 Skills 市场
591
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install sovereign-daily-digest
功能描述
Compile and summarize configured news, weather, calendar, tasks, quotes, and more into a structured, daily personal intelligence briefing.
安全使用建议
This skill is mostly coherent with its goal of creating a local daily briefing, but check a few things before installing:
- Inspect the included script (scripts/digest.sh) yourself — it runs locally and reads files under your home directory (e.g., ~/.openclaw/daily-digest/config.yaml, ~/todo.txt, ~/calendars/*.ics, and any paths you add to the config).
- The SKILL.md and README mention using an environment variable DIGEST_EMAIL_PASS for IMAP and optionally the 'gh' CLI for GitHub issues, but the skill metadata does not declare these required credentials/tools. If you enable email or GitHub features, you will need to provide credentials (IMAP password via env var or gh-authenticated CLI). Only provide secrets if you trust the source.
- Confirm the source/trustworthiness of the repository before running it (the registry header lists 'source unknown' while README/skill.json reference a GitHub repo). If you plan to install via git clone, verify the repository contents and history on the remote.
- If you want extra safety, run the script in a limited environment (container or dedicated user account) until you confirm it behaves as expected. Disable scheduling (cron/launchd/Task Scheduler) until you review and trust the code.
If you want, I can scan the full scripts/digest.sh content line-by-line and summarize any specific commands that might access network endpoints or sensitive files.
功能分析
Type: OpenClaw Skill
Name: sovereign-daily-digest
Version: 1.0.0
The skill is classified as suspicious due to multiple critical shell injection vulnerabilities. The `SKILL.md` explicitly instructs the AI agent to create a crontab entry using a user-controlled `CRON` string without sanitization, leading to potential Remote Code Execution (RCE) via prompt injection (e.g., `echo "${CRON} ..." | crontab -`). Additionally, the `SKILL.md` instructs the agent to use user-controlled `LOCATION` and `REPO` values from `config.yaml` in `curl` and `gh` commands, respectively, which are not robustly sanitized in `scripts/digest.sh` (e.g., `sed 's/ /+/g'` is insufficient for `LOCATION`), also posing RCE risks. These flaws allow an attacker to execute arbitrary commands by manipulating the configuration or agent prompts, despite the skill's stated benign purpose.
能力评估
Purpose & Capability
The name/description align with the included script and SKILL.md: it aggregates calendar, tasks, RSS, weather, and optionally email/GitHub issues. However, skill.json declares only 'bash' as a required tool while README and SKILL.md expect python3 and the GitHub 'gh' CLI for some features—those tools are not declared. The README also suggests a GitHub repository and ClawHub install path while registry metadata at the top says 'Source: unknown' / 'Homepage: none' — a metadata mismatch that reduces traceability.
Instruction Scope
Runtime instructions stay within the stated purpose: reading config at ~/.openclaw/daily-digest/config.yaml, fetching RSS/weather via curl, parsing local calendar files, reading ~/todo.txt and other task files, optionally calling IMAP or gh CLI. The skill intentionally reads local files and may fetch remote feeds; this is expected. The SKILL.md explicitly instructs creating a config file and storing email passwords in an environment variable (DIGEST_EMAIL_PASS).
Install Mechanism
There is no install spec (instruction-only with helper script), which is lower risk. The README includes an example git clone from GitHub; that is a normal installation suggestion but relies on trusting the upstream repository. No downloads from unknown hosts or extracted archives are present in the package itself.
Credentials
The skill's docs and SKILL.md reference an environment variable for email credentials (DIGEST_EMAIL_PASS) and rely optionally on the user's gh CLI authentication, but the registry metadata lists no required environment variables and declares only bash as a required tool. This mismatch means sensitive inputs (email password, GH credentials via gh) are used by the skill but not explicitly declared in the skill metadata — users may not be warned up-front that these credentials are used. Requiring IMAP credentials or using the gh CLI is proportionate to the stated features, but the lack of explicit declaration is a transparency issue.
Persistence & Privilege
The skill does not request always: true and does not attempt to modify other skills or system-wide settings. It writes config and output files under ~/.openclaw/daily-digest and suggests cron/launchd/task-scheduler entries for user scheduling — these are normal for a local automation tool.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sovereign-daily-digest - 安装完成后,直接呼叫该 Skill 的名称或使用
/sovereign-daily-digest触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — beautiful daily digest reports from multiple sources
元数据
常见问题
Sovereign Daily Digest 是什么?
Compile and summarize configured news, weather, calendar, tasks, quotes, and more into a structured, daily personal intelligence briefing. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 591 次。
如何安装 Sovereign Daily Digest?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sovereign-daily-digest」即可一键安装,无需额外配置。
Sovereign Daily Digest 是免费的吗?
是的,Sovereign Daily Digest 完全免费(开源免费),可自由下载、安装和使用。
Sovereign Daily Digest 支持哪些平台?
Sovereign Daily Digest 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Sovereign Daily Digest?
由 ryudi84(@ryudi84)开发并维护,当前版本 v1.0.0。
推荐 Skills