← 返回 Skills 市场
Wework Financial Daily
作者
leozhang1431
· GitHub ↗
· v1.0.0
· MIT-0
188
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install wework-financial-daily
功能描述
每日定时生成金融分析教学课件并推送至企业微信。使用场景:(1) 每天自动生成当日最新金融数据(BTC、AAPL 等)的教学课件,(2) 推送课件到指定企业微信账号,(3) 保存 HTML 课件到本地桌面,(4) 包含价格走势图表和趋势分析。支持通过环境变量配置企业微信 token 和接收人。
安全使用建议
Do not run this skill or its setup scripts without reviewing and modifying the code. Specific actions to consider before installing or scheduling it: 1) Inspect scripts/generate_and_send.py and remove or replace the hard-coded X_TOKEN, TO_USER, MINIO endpoint, access key, and secret; never run code that contains embedded credentials. 2) Verify the API endpoint (kd.chatedu.jiaxutech.com) and MinIO host (1.15.115.88) belong to your organization or a trusted provider; if not, assume generated reports will be publicly exposed. 3) If you need remote hosting, configure your own storage and secrets via environment variables and confirm the script uses os.getenv (it currently appears to ignore the documented env vars). 4) Avoid running SetupTask.ps1 as Administrator until you trust the code — scheduled tasks with highest privileges can be abused. 5) Run the script in a sandbox or isolated account, and rotate any tokens that may have been exposed. 6) Ask the publisher for provenance (homepage/source) and a version that reads credentials from env/config rather than hard-coding them. If you cannot validate the external hosts and embedded credentials, treat this skill as unsafe to deploy.
功能分析
Type: OpenClaw Skill
Name: wework-financial-daily
Version: 1.0.0
The skill bundle exhibits high-risk data handling and credential management practices. The main script `scripts/generate_and_send.py` contains hardcoded credentials for a remote MinIO server (IP: `1.15.115.88`) and automatically uploads generated reports to this server, making them accessible to the infrastructure owner. Furthermore, it routes sensitive Enterprise WeChat tokens (`WEWORK_X_TOKEN`) through a non-official third-party API gateway (`kd.chatedu.jiaxutech.com`), which poses a significant risk of credential harvesting. While these behaviors are functionally linked to the stated goal of generating and sharing reports, the reliance on hardcoded remote storage and third-party intermediaries for sensitive data is highly suspicious.
能力评估
Purpose & Capability
The skill claims to generate daily HTML courseware and push it to enterprise WeChat using environment-provided tokens. The shipped script does that but also uploads the report to a remote MinIO server (1.15.115.88) using hard-coded access key/secret and a hard-coded X_TOKEN and API URL. Uploading to a third-party MinIO and embedding credentials is not necessary to meet the described purpose and is disproportionate/unexplained.
Instruction Scope
SKILL.md instructs users to set WEWORK_X_TOKEN and WEWORK_TO_USER environment variables and to save the HTML to the desktop. The script, however, contains hard-coded X_TOKEN/TO_USER and silently uploads the generated HTML to an external MinIO service (and makes the object publicly accessible), then uses a specific API endpoint (kd.chatedu.jiaxutech.com) for sending. The instructions do not disclose the external upload or the public link behavior; this is scope creep and potential data exfiltration.
Install Mechanism
There is no install spec (instruction-only install), which lowers installer risk. However SKILL.md claims automatic dependency installation but provides no install script, and the code imports the 'minio' package which SKILL.md does not list. The lack of an explicit install step means dependency installation behavior is unclear.
Credentials
SKILL.md requests WEWORK_X_TOKEN and WEWORK_TO_USER (reasonable), but the script ignores those and has a hard-coded X_TOKEN and TO_USER at top. More critically, MinIO endpoint, access key, and secret are hard-coded in the script (sensitive credentials embedded in code) with no justification in the documentation. This is disproportionate and risky because secrets and generated reports are sent to an external IP.
Persistence & Privilege
The README/refs instruct running SetupTask.ps1 as administrator to create a scheduled task that runs with 'highest' privileges and 'run whether user is logged on' — creating an elevated persistent scheduled task is powerful and combined with external upload/backchannel behavior increases risk. The skill itself does not declare always:true, but its setup recommends creating a high-privilege system task.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install wework-financial-daily - 安装完成后,直接呼叫该 Skill 的名称或使用
/wework-financial-daily触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- 首次发布,支持每日自动生成并推送金融分析教学课件到企业微信。
- 课件内容包括BTC、AAPL等标的30天走势、价格数据与五大技术分析模块。
- 输出HTML完整报告至本地桌面,并通过企业微信推送Markdown精讲摘要与链接。
- 支持环境变量或脚本内配置企业微信token及接收人。
- 一键运行及定时任务支持,自动安装所需依赖包。
- 提供自定义数据源与故障排查说明。
元数据
常见问题
Wework Financial Daily 是什么?
每日定时生成金融分析教学课件并推送至企业微信。使用场景:(1) 每天自动生成当日最新金融数据(BTC、AAPL 等)的教学课件,(2) 推送课件到指定企业微信账号,(3) 保存 HTML 课件到本地桌面,(4) 包含价格走势图表和趋势分析。支持通过环境变量配置企业微信 token 和接收人。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 188 次。
如何安装 Wework Financial Daily?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install wework-financial-daily」即可一键安装,无需额外配置。
Wework Financial Daily 是免费的吗?
是的,Wework Financial Daily 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Wework Financial Daily 支持哪些平台?
Wework Financial Daily 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Wework Financial Daily?
由 leozhang1431(@leozhang1431)开发并维护,当前版本 v1.0.0。
推荐 Skills