OpenClaw News
v1.0.0Aggregates and delivers a curated briefing of new releases, skills, security issues, community discussions, and ecosystem news in the OpenClaw ecosystem.
⭐ 1· 1.6k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name and SKILL.md describe a news aggregator for the OpenClaw ecosystem and the included scripts implement that. However, the registry metadata lists no required binaries or credentials even though SKILL.md and the scripts explicitly depend on external CLIs (gh, clawdhub) and an agent-provided web_search/Brave Search access. The omission of those runtime dependencies in metadata is a mismatch that affects install/usage expectations.
Instruction Scope
The runtime instructions and scripts stay within the stated purpose: they collect GitHub data via the gh CLI, query ClawdHub via the clawdhub CLI, produce search queries for the agent to run via its web_search/Brave Search tool, and format results for delivery. The scripts read/write only the skill's state files (state/*.json) and do not reference unrelated system paths or exfiltrate data to unexpected remote endpoints.
Install Mechanism
There is no install spec (instruction-only with bundled scripts), so nothing is downloaded at install time. The code is local and uses standard POSIX/Python tools; no remote code fetch or extract occurs. This is low-install risk, but it relies on preinstalled CLIs which are not declared in the registry metadata.
Credentials
The skill does not declare any required environment variables or primary credential in metadata, yet SKILL.md and scripts expect: an authenticated GitHub 'gh' CLI (which uses the user's GitHub token), possibly Brave Search API credentials via the agent web_search, and the clawdhub CLI (which may require registry access). Not declaring these credentials/tools in metadata is disproportionate and reduces transparency about what secrets or auth state the skill will use.
Persistence & Privilege
The skill is not always-on and does not request elevated privileges. It only writes its own state files under skills/.../state and does not alter other skills or global agent config. Autonomous invocation (allowed by default) is normal for skills and is not in itself a concern here.
What to consider before installing
This skill is functionally coherent as a news-aggregation tool, but the registry metadata fails to list runtime dependencies and credential requirements. Before installing or running it: (1) Verify you are comfortable granting the skill access to your local 'gh' CLI (it will use whatever GitHub auth gh has configured). If you don't want it to use your personal GH token, don't run the scripts or run them in an environment with limited gh credentials. (2) Confirm whether your agent's web_search/Brave Search integration requires an API key and whether you're willing to let the agent run those network searches. (3) Ensure you trust the clawdhub CLI output or run the skill in a sandbox first; clawdhub may query registries and could surface unexpected data. (4) Review the state/ files (pending_searches.json, raw_data.json) to see what queries and results are produced; they are stored locally and could contain noisy or sensitive registry entries. (5) Because metadata omitted required tools/creds, treat this as a transparency issue — if you need full assurance, ask the publisher to update metadata to declare gh/clawdhub/Brave Search requirements and any needed env vars, or run the scripts manually in a controlled environment.Like a lobster shell, security has layers — review code before you run it.
latestvk97crw8d7pqskmasjz0xj1yqth80a6fq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.