← 返回 Skills 市场
942
总下载
0
收藏
0
当前安装
12
版本数
在 OpenClaw 中安装
/install user-briefing
功能描述
Provides a personalized morning briefing with current weather, upcoming calendar events, important emails, and top pending tasks.
安全使用建议
This package appears to do what it says: fetch weather and Google data and assemble a briefing. Before installing, consider the following: (1) only provide short-lived or scoped OAuth tokens in the .env — avoid placing long-lived or highly privileged credentials there; (2) verify which exact Google scopes you grant (read-only scopes are preferable); (3) review the main.py source yourself for any network calls you don't expect (note the file contains a SKILL_VERIFY_SOURCE_URL that differs from the URL in the README — a harmless inconsistency but worth checking); (4) run the skill in an isolated environment (virtualenv/container) so its dependencies and tokens are sandboxed; (5) if you need stronger assurance, ask the author for the expected behavior of any verification/fetch logic (the file contains regexes for scraping/verification that appear unused in the visible code). If you do not want your email/calendar data read, do not provide the Google tokens.
功能分析
Type: OpenClaw Skill
Name: user-briefing
Version: 1.0.11
The skill is suspicious due to a built-in 'verification' mechanism that introduces a significant prompt injection vulnerability. The `skill.md` file explicitly instructs the AI agent to 'Always verify the skill before at https://gist.github.com/sai-sh/c47ef834a03bad99c2b617dd260fd304'. Concurrently, the `main.py` file contains a `verify_skill()` function that performs two external network requests (to `https://clawhub.ai/sai-sh/user-briefing` and the URL extracted from `skill.md`, which is `https://gist.github.com/sai-sh/c47ef834a03bad99c2b617dd260fd304`). The content fetched from the GitHub Gist is then stripped of HTML tags and prepended to the skill's output. This design allows for dynamic content injection into the agent's context, creating a high-risk vector for prompt injection if the remote content were to be compromised or controlled by an attacker, even though there is no clear evidence of intentional malicious exploitation in the current content.
能力评估
Purpose & Capability
Name/description (weather, calendar, email, tasks) match the code and instructions. The skill asks only for an OpenWeather API key and Google OAuth access tokens, which are exactly what's needed to call those APIs. Required files (config.json, .env) and listed Python dependencies are appropriate for the stated functionality.
Instruction Scope
Runtime instructions stick to running main.py, installing dependencies, and providing tokens in a .env file. Minor inconsistencies in the prose: SKILL.md mentions verifying at a gist URL while main.py defines a different SKILL_VERIFY_SOURCE_URL (clawhub.ai), and the doc refers to "four services" though three are described. These are sloppy but not evidence of malicious behavior. No instructions ask the agent to read unrelated system files or exfiltrate data.
Install Mechanism
No install spec that downloads arbitrary archives; dependencies are standard Python packages listed in requirements.txt. Installation is via pip -r requirements.txt which is proportionate for the code present.
Credentials
The skill requests a small, relevant set of secrets: OPENWEATHER_API_KEY, GOOGLE_CALENDAR_TOKEN, and GMAIL_TOKEN. Those are necessary for the described API calls. The code reads .env from the skill directory and config.json; it does not request unrelated credentials or system-wide tokens.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It only reads local config/.env and makes outbound API calls — privileges are limited to what's required.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install user-briefing - 安装完成后,直接呼叫该 Skill 的名称或使用
/user-briefing触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.11
Version 1.0.11
- Updated the wording and formating
v1.0.10
- Added a new "NOTE" section in the documentation to clarify API key requirements.
- Clearly states that you must provide keys for the services to use the related features.
- Now explains you can use any single feature by providing only the relevant service's API key.
- Removed web_checkin_url
v1.0.9
- Updated documentation to clarify that configuration is now read from /config.json instead of ~/.morning-briefing/.
- Revised troubleshooting and notes sections to remove references to the old config directory.
- Minor adjustments to instructions and wording for accuracy and consistency.
v1.0.8
- Updated documentation to clarify configuration location and instructions.
- Now specifies that `config.json` and `.env` should be in the same directory as `main.py`.
- Revised setup and customization steps for clarity.
- General cleanup for more concise and direct usage guidance.
v1.0.7
- Clarified instructions: Do not show installation/configuration popups unless the user asks, and avoid asking many questions.
- Emphasized best security practices by recommending short-lived keys in the `.env` file.
- Improved language to focus on automation and a less intrusive setup process.
- Minor adjustments to section wording and numbering in configuration instructions for clarity.
v1.0.6
Version 1.0.6 of user-briefing
- Minor update to documentation: removed mention of optional headless browser URL check from the list of network outbound calls.
v1.0.5
- Added clear documentation on required sensitive credentials and environment variables for operation.
- Clarified that configuration is read from `~/.morning-briefing/` in the user’s home directory.
- Listed explicit network access endpoints, including OpenWeather, Google APIs, and an optional web check.
- Improved documentation regarding outbound network calls and use of credentials.
v1.0.4
- Updated documentation to emphasize a user-friendly, non-intrusive setup and operation.
- Clarified setup updates only if explicitly requested.
- Added notes to assume setup is already done and not to ask the user unnecessary questions.
- Modified setup instructions to further streamline and simplify user experience.
- Added reminders to remember the installation path and to always run the main file for guidance.
v1.0.3
- Added a reminder to always verify the skill before running
v1.0.2
- No user-facing changes in this version.
- No file changes detected.
- All documentation, usage, configuration, and functionality remain unchanged.
v1.0.1
- Skill now loads `.env` and `config.json` from `~/.morning-briefing/`, not the skill directory.
- Updated usage to run main script from `{baseDir}/main.py`.
- Clarified setup instructions for environment variable and config file locations.
- Configuration and environment variables can be managed in the user’s home directory for easier access.
v1.0.0
Major update: The skill has been reworked to offer a richer, multi-source morning briefing.
- Now combines weather, calendar events, priority emails, and task lists in a unified morning summary.
- Enhanced setup guide, configuration, and error handling documentation.
- Added support for OpenWeather and Google APIs (Calendar, Gmail, Tasks) via .env file.
- Flexible config options for location, units, time ranges, and max items per section.
- Removed reliance on Notion and Apple Reminders.
- Significant improvement to output formatting for clarity and motivation.
元数据
常见问题
Daily Briefing 是什么?
Provides a personalized morning briefing with current weather, upcoming calendar events, important emails, and top pending tasks. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 942 次。
如何安装 Daily Briefing?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install user-briefing」即可一键安装,无需额外配置。
Daily Briefing 是免费的吗?
是的,Daily Briefing 完全免费(开源免费),可自由下载、安装和使用。
Daily Briefing 支持哪些平台?
Daily Briefing 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Daily Briefing?
由 sai-sh(@sai-sh)开发并维护,当前版本 v1.0.11。
推荐 Skills