Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily News Skill
v1.1.0自定义新闻类型,自动从互联网抓取最新消息,用语音播报。支持科技/财经/体育/娱乐等多个类别,定时发送。
⭐ 0· 291·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (news fetch, summary, TTS, scheduled broadcast) align with what the scripts do: search via Tavily (optional) or simulate web search, build summaries, and invoke a Feishu voice sender. Required tools (curl, python3, jq, ffmpeg) and env vars (Feishu credentials, NoizAPI, optional Tavily key) are consistent with those capabilities.
Instruction Scope
SKILL.md and the main script keep to the stated scope (reading news_config.conf, fetching news, producing text, and sending voice/text). However the script attempts to call a sibling feishu-voice-skill (../feishu-voice-skill/scripts/send_voice.sh) if present — that is an external/adjacent component outside this skill's bundle and could execute arbitrary code with the same environment. The script also contains a simulated web_search fallback rather than performing live scraping unless Tavily API is provided.
Install Mechanism
No install spec — instruction-only with included shell scripts. This minimizes install-time risk (no remote arbitrary downloads). Required system binaries are standard (curl, python3, jq, ffmpeg).
Credentials
The skill asks for FEISHU_APP_ID / FEISHU_APP_SECRET / FEISHU_CHAT_ID and NOIZ_API_KEY (and optionally TAVILY_API_KEY). These are sensitive but appear necessary for sending messages and producing TTS. One inconsistency: the registry summary at the top of the evaluation said "Required env vars: none" while clawhub.yaml and SKILL.md do declare these env vars — this mismatch is a packaging/documentation issue you should notice before installing.
Persistence & Privilege
No always:true privilege; the skill is user-invocable and allowed to run autonomously by default (platform normal). The skill does not request to modify other skills or system-wide settings. The main risk is runtime: if a sibling feishu-voice-skill script exists it will be executed.
Assessment
This skill appears to do what it says, but check a few things before use: 1) The script requires Feishu credentials and a NoizAI key — these are sensitive; create a least-privilege Feishu app and use a chat/account you control. 2) Inspect the sibling script ../feishu-voice-skill/scripts/send_voice.sh if present — the main script will execute it and it could run arbitrary actions with your environment. 3) The package/registry metadata is inconsistent about required env vars (documentation mismatch) — verify env var needs yourself. 4) If you plan to run it on a schedule, use an account/VM/container with limited access and confirm absolute paths in crontab. 5) If you do not want external network calls, do not set TAVILY_API_KEY and review the script's network behavior (it posts to https://api.tavily.com/search when the key is set). If you want further review, provide the feishu-voice-skill send_voice.sh and any fetch/summarize helper scripts referenced in SKILL.md.Like a lobster shell, security has layers — review code before you run it.
latestvk978ywg4bqetp1sf9fb7dkr2v982fgch
License
MIT-0
Free to use, modify, and redistribute. No attribution required.