ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Aggregator Skill

Comprehensive news aggregator that fetches, filters, and deeply analyzes real-time content from 8 major sources: Hacker News, GitHub Trending, Product Hunt, 36Kr, Tencent News, WallStreetCN, V2EX, and Weibo. Best for 'daily scans', 'tech news briefings', 'finance updates', and 'deep interpretations' of hot topics.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.7k · 0 current installs · 0 all-time installs
by@AdministratorFung
duplicate of @cclank/news-aggregator-skill
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, the SKILL.md usage examples, templates.md, README, and the Python fetchers all align: they target the listed 8 sources and provide deep-fetch, filtering, and report generation. The declared requirements (none) are consistent with a small Python utility that uses requests and BeautifulSoup (requirements.txt present). There are no unrelated requested credentials or surprising external services.
!
Instruction Scope
SKILL.md contains strong mandatory directives (e.g., MUST expand keywords, MUST deep-analyze every item, MUST save reports to reports/) and an interactive trigger that instructs the agent to read templates.md. The 'deep' mode explicitly downloads and extracts article text from arbitrary URLs (fetch_url_content in scripts/fetch_news.py). That behavior is expected for a deep reader, but it grants the skill the ability to issue HTTP requests to any URL discovered in news items — raising SSRF/remote-fetch risks. Also the SKILL.md includes detected unicode-control-chars (prompt-injection) which may try to influence agent behavior; this is suspicious and should be inspected.
Install Mechanism
There is no formal install spec in the registry entry (instruction-only), but the package contains runnable Python code and a requirements.txt (requests, beautifulsoup4). The README suggests cloning from a GitHub repo and pip installing — a normal but manual install flow. Because code will be executed by the agent (scripts/fetch_news.py), the absence of an automated, vetted install increases the need to inspect the code before running.
Credentials
The skill requests no environment variables, credentials, or system config paths — consistent with its purpose. The number and nature of requested resources are proportional to a news scraper/aggregator. No hidden credential access was found in the provided files.
Persistence & Privilege
always:false (normal). The skill writes generated reports to a reports/ directory in its skill folder (SKILL.md requires saving reports). Writing files in the skill directory is expected for report generation, but users should note it will create persistent artifacts. The skill does not request to modify other skills or global agent configs.
Scan Findings in Context
[unicode-control-chars] unexpected: SKILL.md contained unicode control characters that the pre-scan flagged as potential prompt-injection. This is not needed for a news-aggregator and is suspicious — inspect SKILL.md for invisible characters that could alter parsing or instructions.
What to consider before installing
What to consider before installing: - Inspect the SKILL.md and scripts/fetch_news.py yourself (or have a trusted reviewer) — the skill contains executable Python code that makes network requests and writes reports to disk. The code is plausible for a news aggregator, but you should verify there are no hidden backdoors or obfuscated behaviors (the pre-scan found unicode control characters in SKILL.md). - Be cautious with 'deep' mode: it fetches the full text of article URLs discovered in feeds. That allows requests to arbitrary URLs (SSRF risk). If you plan to use this skill, either disable automatic deep fetching by default or restrict it to an explicit user-approved mode. - Run the skill in a sandbox or environment with restricted network access (no access to internal IP ranges) until you are confident. Limit concurrency/timeouts and consider a URL whitelist for deep fetching. - Because the source/homepage is unknown, prefer obtaining the skill from a verifiable source (official repo or maintainer). If you must install, avoid giving it credentials and avoid running it on hosts that contain sensitive internal services. - Remove or examine any invisible/unicode control characters in SKILL.md (these may be prompt-injection attempts). Also verify that templates.md and other files do not contain unexpected instructions or hard-coded endpoints. - If you want to proceed: require explicit user confirmation before any global-scan/deep actions, and consider modifying fetch_news.py to limit which domains can be fetched and to log fetching actions for auditing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97bw82a531cadwcy5803vsd99804z0m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

News Aggregator Skill

Fetch real-time hot news from multiple sources.

Tools

fetch_news.py

Usage:

### Single Source (Limit 10)
```bash
### Global Scan (Option 12) - **Broad Fetch Strategy**
> **NOTE**: This strategy is specifically for the "Global Scan" scenario where we want to catch all trends.

```bash
#  1. Fetch broadly (Massive pool for Semantic Filtering)
python3 scripts/fetch_news.py --source all --limit 15 --deep

# 2. SEMANTIC FILTERING:
# Agent manually filters the broad list (approx 120 items) for user's topics.

Single Source & Combinations (Smart Keyword Expansion)

CRITICAL: You MUST automatically expand the user's simple keywords to cover the entire domain field.

  • User: "AI" -> Agent uses: --keyword "AI,LLM,GPT,Claude,Generative,Machine Learning,RAG,Agent"
  • User: "Android" -> Agent uses: --keyword "Android,Kotlin,Google,Mobile,App"
  • User: "Finance" -> Agent uses: --keyword "Finance,Stock,Market,Economy,Crypto,Gold"
# Example: User asked for "AI news from HN" (Note the expanded keywords)
python3 scripts/fetch_news.py --source hackernews --limit 20 --keyword "AI,LLM,GPT,DeepSeek,Agent" --deep

Specific Keyword Search

Only use --keyword for very specific, unique terms (e.g., "DeepSeek", "OpenAI").

python3 scripts/fetch_news.py --source all --limit 10 --keyword "DeepSeek" --deep

Arguments:

  • --source: One of hackernews, weibo, github, 36kr, producthunt, v2ex, tencent, wallstreetcn, all.
  • --limit: Max items per source (default 10).
  • --keyword: Comma-separated filters (e.g. "AI,GPT").
  • --deep: [NEW] Enable deep fetching. Downloads and extracts the main text content of the articles.

Output: JSON array. If --deep is used, items will contain a content field associated with the article text.

Interactive Menu

When the user says "news-aggregator-skill 如意如意" (or similar "menu/help" triggers):

  1. READ the content of templates.md in the skill directory.
  2. DISPLAY the list of available commands to the user exactly as they appear in the file.
  3. GUIDE the user to select a number or copy the command to execute.

Smart Time Filtering & Reporting (CRITICAL)

If the user requests a specific time window (e.g., "past X hours") and the results are sparse (< 5 items):

  1. Prioritize User Window: First, list all items that strictly fall within the user's requested time (Time < X).
  2. Smart Fill: If the list is short, you MUST include high-value/high-heat items from a wider range (e.g. past 24h) to ensure the report provides at least 5 meaningful insights.
  3. Annotation: Clearly mark these older items (e.g., "⚠️ 18h ago", "🔥 24h Hot") so the user knows they are supplementary.
  4. High Value: Always prioritize "SOTA", "Major Release", or "High Heat" items even if they slightly exceed the time window.
  5. GitHub Trending Exception: For purely list-based sources like GitHub Trending, strictly return the valid items from the fetched list (e.g. Top 10). List ALL fetched items. Do NOT perform "Smart Fill".
    • Deep Analysis (Required): For EACH item, you MUST leverage your AI capabilities to analyze:
      • Core Value (核心价值): What specific problem does it solve? Why is it trending?
      • Inspiration (启发思考): What technical or product insights can be drawn?
      • Scenarios (场景标签): 3-5 keywords (e.g. #RAG #LocalFirst #Rust).

6. Response Guidelines (CRITICAL)

Format & Style:

  • Language: Simplified Chinese (简体中文).
  • Style: Magazine/Newsletter style (e.g., "The Economist" or "Morning Brew" vibe). Professional, concise, yet engaging.
  • Structure:
    • Global Headlines: Top 3-5 most critical stories across all domains.
    • Tech & AI: Specific section for AI, LLM, and Tech items.
    • Finance / Social: Other strong categories if relevant.
  • Item Format:
    • Title: MUST be a Markdown Link to the original URL.
      • ✅ Correct: ### 1. [OpenAI Releases GPT-5](https://...)
      • ❌ Incorrect: ### 1. OpenAI Releases GPT-5
    • Metadata Line: Must include Source, Time/Date, and Heat/Score.
    • 1-Liner Summary: A punchy, "so what?" summary.
    • Deep Interpretation (Bulleted): 2-3 bullet points explaining why this matters, technical details, or context. (Required for "Deep Scan").

Output Artifact:

  • Always save the full report to reports/ directory with a timestamped filename (e.g., reports/hn_news_YYYYMMDD_HHMM.md).
  • Present the full report content to the user in the chat.

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…