科技投资日报

科技行业投资日报生成与推送。当用户要求生成科技投资日报、发送每日投资报告、或cron定时触发日报任务时使用。自动抓取财联社实时新闻、获取涉及上市公司股价、生成深度分析报告并通过飞书一条消息发送完整Markdown报告，同时生成PDF附件。

This skill will attempt to read your platform's OpenClaw config (/root/.openclaw/openclaw.json) to extract Feishu appId/appSecret and then use those to get a tenant token and upload/send PDFs — but it does not declare that requirement. Before installing: (1) do not assume credentials are safe to share — inspect /root/.openclaw/openclaw.json and confirm whether it contains sensitive tenant credentials. (2) Ask the author to explicitly declare required credentials or change the skill to request Feishu credentials at configuration time rather than silently reading platform config. (3) Verify presence and origin of the referenced md2pdf-weasyprint conversion script and any fonts; these dependencies are required but not installed by the skill. (4) If you must run it, run in an isolated environment or a dedicated account with limited Feishu privileges, and rotate Feishu credentials after testing. (5) If you cannot validate these points, treat the skill as untrusted and avoid giving it access to platform/global config.

Type: OpenClaw Skill Name: tech-invest-daily Version: 1.1.0 The skill is classified as suspicious due to critical prompt injection vulnerabilities in `SKILL.md`. The AI agent is instructed to execute shell commands (`python3` and `bash`) where arguments (such as stock codes for `scripts/report.py` and file paths for the `md2pdf-weasyprint` script) are constructed by the agent. If an attacker can craft a prompt that causes the agent to include shell metacharacters (e.g., `;`, `$()`) in these arguments, it could lead to arbitrary command execution (shell injection).