Fetch the latest AI daily brief from imjuya/juya-ai-daily (GitHub) and return the Overview (summary) section. — 技能工具
v1.0.0Fetch the latest AI daily brief from imjuya/juya-ai-daily (GitHub) and return the Overview (summary) section.
0· 193·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (fetching the latest summary from a public GitHub repo) is coherent, but the runtime instructions use tools and environment variables that the skill metadata doesn't declare, so the package is inconsistent and needs clarification before trusting it.
评估建议
This skill appears to do what it says (fetch a public GitHub markdown and extract the 'Overview'), but there are a few mismatches you should address before installing or running it unattended:
- The SKILL.md uses node (node -e), awk, sed, basename and other shell utilities but the registry metadata only lists curl. Ensure your agent environment actually provides these binaries or update the metadata. If you cannot provide node, the script will fail or behave unexpectedly.
- The script will rea...详细分析 ▾
ℹ 用途与能力
The name/description match the instructions: the script lists BACKUP/*.md in imjuya/juya-ai-daily and extracts the '## 概览' section. That capability does not require credentials for public repos and is appropriate for the stated purpose. However, the SKILL.md's runtime commands use additional binaries (node, awk, sed, basename, etc.) beyond the single declared dependency (curl), creating an inconsistency between claimed requirements and actual runtime needs.
ℹ 指令范围
The instructions confine themselves to calling the GitHub API and downloading a public markdown file, then extracting the overview section. They conditionally read GITHUB_TOKEN or GH_TOKEN to increase rate limits (optional), and they print the latest date to stderr. The script does not instruct reading arbitrary host files or posting data to third-party endpoints beyond api.github.com and raw file download URLs. Still, the instructions run an embedded node -e script and several shell utilities that are not declared; that mismatch could cause runtime surprises.
✓ 安装机制
This is instruction-only (no install spec, no code files). That is the lowest-risk install mechanism: nothing is downloaded or written by the registry/install process itself. The runtime will invoke curl and other tools already present on the host.
⚠ 凭证需求
The metadata declares no required environment variables, but the SKILL.md conditionally reads GITHUB_TOKEN and GH_TOKEN if present. Asking for optional GitHub tokens to raise rate limits is reasonable, but the skill metadata should declare these as optional env vars. More importantly, if a user provides a token, it grants GitHub API access — the token should be scoped and limited. The script will accept any token present in the environment, so users should not set broad-scoped or long-lived tokens without understanding the risk.
✓ 持久化与权限
The skill is not always-enabled, it does not request persistent system presence, and it does not modify other skills' configurations. Autonomous invocation is enabled by default (normal) but not itself a red flag here.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/17
first try
● 无害
安装命令 点击复制
官方npx clawhub@latest install juya-ai-daily-skills
镜像加速npx clawhub@latest install juya-ai-daily-skills --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制