Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
News Aggregator Skill
v0.1.0Comprehensive news aggregator that fetches, filters, and deeply analyzes real-time content from 8 major sources: Hacker News, GitHub Trending, Product Hunt, 36Kr, Tencent News, WallStreetCN, V2EX, and Weibo. Best for 'daily scans', 'tech news briefings', 'finance updates', and 'deep interpretations' of hot topics.
⭐ 6· 2.5k·9 current·9 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises fetching and deep-analysis across 8 sources using scripts (e.g., scripts/fetch_news.py) and file templates, but the package contains no code or templates. The skill does not declare any required binaries or credentials even though some sources (Weibo/Tencent) often require auth or special scraping. The claimed capabilities therefore are not matched by the manifest.
Instruction Scope
SKILL.md tells the agent to run local scripts, read templates.md in the skill directory, save full reports under reports/, and perform 'deep' fetching that downloads and extracts main article text. Because those files are absent, the instructions are internally inconsistent. The instructions also mandate automatic keyword expansion and broad fetching strategies that could cause extensive external requests and storage of scraped content — behavior not constrained or justified in the metadata.
Install Mechanism
There is no install spec and no code files — lowest installation surface. That is safer from an installation-exec perspective, but also means the instructions are non-actionable as-distributed (they reference scripts that are not present).
Credentials
The skill requests no environment variables or credentials (proportionate on its face). However, the instructions imply reading local files (templates.md) and writing reports to disk, and performing deep downloads/extraction of external content: these are I/O privileges not declared in metadata. Also, some target sources (Weibo/Tencent) may require cookies or tokens in practice — the skill doesn't declare or justify those.
Persistence & Privilege
The skill does not set always:true and has no explicit disableModelInvocation setting (so default model-invocable behavior applies). This is normal, but because the skill promises broad autonomous fetching and deep scraping, you should be aware the model could invoke it without extra user prompts unless higher-level agent policies prevent that.
What to consider before installing
This package is missing the scripts and templates it instructs the agent to run and read. Before installing or enabling: (1) Ask the publisher for the missing files (scripts/fetch_news.py, templates.md, any scripts referenced) so you can review them — especially the 'deep' fetching logic that downloads and extracts article content. (2) Confirm whether any credentials/cookies are needed for sources like Weibo/Tencent and why those are not declared. (3) If you plan to run it, run the code in a sandbox and inspect network behavior (which domains are contacted, whether it follows arbitrary links, and whether it uploads data elsewhere). (4) Consider requiring the skill be user-invocable only or disabling autonomous invocation until you vet the implementation. Given the current mismatch between claims and provided files, do not grant broad runtime trust yet.Like a lobster shell, security has layers — review code before you run it.
latestvk97dcga5hsrscsr9g174tv5s9580eadm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.