每日宏观数据监控和推送。自动浏览免费数据源(Trading Economics、FRED、国家统计局、央行官网、财联社等),整理整合过去24小时发布的宏观数据和政策信息,并推送给用户。通过 cron 每天晚上10点自动触发。
Security Analysis
high confidenceThe skill's requests and runtime instructions are coherent with its stated purpose (daily web scraping and summarization of macro data); nothing requests unrelated credentials or installs, but there are a couple of small implementation details you should verify before enabling it automatically.
The name/description (daily macro data monitoring and push) matches the instructions (use browser to visit listed public data sites, compile past-24h items, push results). No unrelated env vars, binaries, or installs are requested.
Instructions are narrowly scoped to browsing public macro data sites, cross-checking explanations, compiling a report, and pushing it. Two practical issues: (1) the SKILL.md uses an absolute path /home/hmzo/.openclaw/... to read references/indicators.md (this is likely intended to read the skill's local reference file but is user-specific and may fail or accidentally reference a different location on other hosts); (2) the 'push' step references a message tool but the example invocation is empty/missing, so it's unclear what target or channel will receive the report. These are implementation/robustness issues rather than malicious scope creep.
No install spec and no code files — instruction-only skill. This is the lowest-risk install mechanism (nothing is downloaded or written by an installer).
The skill declares no environment variables, credentials, or config paths beyond reading its own references file. It only uses network access to public websites, which is consistent with its purpose.
always is false and the skill is user-invocable; autonomous invocation is allowed (default) but not combined with other red flags. Cron config is provided in the instructions, which is appropriate for a scheduled reporting skill.
Guidance
This skill appears to do what it claims (visit public macro data sites, compile a daily summary, and push it). Before enabling it automatically: 1) verify the 'read' path maps to the skill's local references file in your environment (the absolute path /home/hmzo/... may be incorrect or could point to an unexpected location); 2) confirm where the message tool will send reports (the example push invocation is missing) and that the destination is appropriate/authorized; 3) confirm you are comfortable with the agent's browser tool having network access to fetch and render third‑party pages (pages may contain dynamic scripts or require rate-limiting or respect robots.txt); 4) test a manual run to ensure the skill doesn't try to access other filesystem paths or prompt for credentials; and 5) ensure this scraping behavior complies with the terms of the target sites. If those checks are acceptable, the skill is coherent and proportionate to its stated purpose.
Latest Release
v1.0.2
优化说明与流程细节,保持每日22:00宏观数据推送与小白向指标科普
More by @hmzo
Published by @hmzo on ClawHub
