OpenClaw News
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the GitHub account already configured in your gh CLI to fetch release, pull request, and security issue data.
The skill may rely on the user's existing GitHub CLI authentication. The visible scripts use it for OpenClaw GitHub API reads, which is purpose-aligned, but users should notice the delegated account access.
- `gh` CLI installed and authenticated (for GitHub API)
Confirm the gh CLI is authenticated to the intended GitHub account and that its token scopes are acceptable before enabling scheduled runs.
Running the skill will contact external services and create/update local state files for the briefing.
The collection script invokes local CLI tools and network-backed registry/API queries. This is expected for a news aggregation skill and the shown commands are read-oriented.
gh api repos/openclaw/openclaw/releases ... clawdhub explore --registry https://www.clawhub.ai
Run it from the intended skill directory and make sure the gh and clawdhub binaries on your system are trusted.
The skill may not work as expected unless the documented local tools and search capability are available.
The registry metadata does not declare the helper tools and authentication described in SKILL.md. This appears to be an under-declared setup requirement rather than hidden behavior.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Treat the SKILL.md prerequisites as the practical setup contract even though the registry requirements are empty.
If you add the cron job, the agent will keep sending scheduled news briefings until the cron entry is removed or changed.
The skill documents optional recurring cron execution and message delivery. This is disclosed and user-directed, but it is still persistent behavior.
openclaw cron add --name "openclaw-news" ... --schedule "0 9 * * *" ... --channel signal
Only enable the cron schedule if you want recurring briefings, confirm the destination channel, and remove the cron job when no longer needed.