ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rss Ai Reader

📰 RSS AI 阅读器 — 自动抓取订阅、LLM生成摘要、多渠道推送! 支持 Claude/OpenAI 生成中文摘要,推送到飞书/Telegram/Email。 触发条件: 用户要求订阅RSS、监控博客、抓取新闻、生成摘要、设置定时抓取、 "帮我订阅"、"监控这个网站"、"每天推送新闻"、RSS/Atom feed 相关。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
12 · 4.6k · 16 current installs · 18 all-time installs
by@BENZEMA216
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The described capability (fetch RSS, summarize with Claude/OpenAI, push to Feishu/Telegram/Email) matches the instructions and config examples. However, the skill metadata declares no required environment variables or credentials, while the SKILL.md and config_guide explicitly expect LLM API keys and push-channel secrets (ANTHROPIC_API_KEY / OPENAI_API_KEY, FEISHU_WEBHOOK, TELEGRAM_BOT_TOKEN, EMAIL_PASSWORD). That discrepancy (metadata says none required but instructions require multiple secrets) is a mismatch that reduces trust.
!
Instruction Scope
The SKILL.md directs the agent to run shell commands that clone a third-party GitHub repo and execute python main.py after installing requirements. These instructions cause the agent (or the user following them) to download and execute arbitrary code, install Python packages, and supply API keys — actions that go beyond simple, self-contained instruction text and enable arbitrary network access and data handling by external code.
!
Install Mechanism
There is no formal install spec inside the skill, but the runtime instructions instruct cloning https://github.com/BENZEMA216/rss-reader.git and running pip install -r requirements.txt. That means code and dependencies will be pulled from an external repo and from PyPI at runtime — a higher-risk install flow because the skill bundle itself does not include or vet that code.
!
Credentials
The SKILL.md and config guide expect several sensitive environment variables and secrets (Anthropic/OpenAI API keys, Feishu webhook, Telegram bot token & chat id, email SMTP credentials). The skill metadata declared none. Requiring multiple credentials is proportionate to the claimed push/LLM functionality, but the absence of these declared requirements in metadata is an incoherence and hides the fact that secrets must be provided. Supplying these secrets to code downloaded at runtime increases risk of accidental exfiltration.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide config paths in metadata. Autonomous invocation (disable-model-invocation: false) is the platform default and not a standalone concern. However, because the instructions cause external code to be executed, that code could create persistent state — the metadata does not document any such persistence.
What to consider before installing
This skill's functionality is plausible, but it asks you (via instructions) to clone and run a third‑party GitHub project and to provide multiple sensitive keys/webhooks — while the skill metadata claims no required env vars. Before installing or using it: 1) inspect the referenced GitHub repo and its main.py/requirements to confirm behavior and check for network/exfiltration code; 2) prefer the skill bundle to include audited code or a trusted release URL rather than an arbitrary clone; 3) avoid reusing high‑privilege API keys (use keys with minimal scopes or dedicated service accounts); 4) run the code in a sandbox/container or review dependency versions in requirements.txt; 5) if you cannot audit the repo, do not provide production secrets. If the publisher supplies the included code directly in the skill (or documents a vetted release and explicitly lists required env vars in metadata), my concern level would drop.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9725knn1bt19mbct92dmpvphh80cztf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

📰 RSS AI Reader

自动抓取 RSS 订阅 → LLM 生成中文摘要 → 推送到 IM

✨ 核心功能

  • 📡 自动抓取 RSS/Atom feeds
  • 🤖 Claude/OpenAI 生成中文摘要
  • 📬 多渠道推送:飞书、Telegram、Email
  • 💾 SQLite 去重,不重复推送
  • ⏰ 支持定时任务

🚀 快速开始

# 安装
git clone https://github.com/BENZEMA216/rss-reader.git ~/rss-reader
cd ~/rss-reader && pip install -r requirements.txt

# 配置(编辑 config.yaml)
cp config.yaml my_config.yaml
# 设置 feeds、LLM key、推送渠道

# 运行
python main.py --once              # 单次执行
python main.py                     # 启动定时任务
python main.py --stats             # 查看统计

📝 配置示例

# RSS 订阅
feeds:
  - name: "Hacker News"
    url: "https://hnrss.org/frontpage"
    category: "tech"
  - name: "阮一峰周刊"
    url: "https://www.ruanyifeng.com/blog/atom.xml"
    category: "tech"

# LLM 配置
llm:
  provider: "claude"  # 或 "openai"
  model: "claude-sonnet-4-20250514"
  api_key: "${ANTHROPIC_API_KEY}"

# 推送到飞书
notify:
  feishu:
    enabled: true
    webhook_url: "${FEISHU_WEBHOOK}"

📬 支持的推送渠道

渠道配置项说明
飞书webhook_url群机器人 Webhook
Telegrambot_token + chat_idBot API
EmailSMTP 配置支持 Gmail 等

🔧 命令行参数

python main.py [options]

--config, -c  配置文件路径 (默认: config.yaml)
--once        只执行一次
--stats       显示统计信息
--db          数据库路径 (默认: rss_reader.db)

💡 使用场景

  1. 技术博客监控 — 订阅 HN、阮一峰、V2EX 等
  2. 新闻早报 — 每天定时推送摘要到飞书群
  3. 竞品监控 — 订阅竞品博客,自动摘要
  4. 论文追踪 — 订阅 arXiv,AI 帮你筛选

📊 输出效果

飞书消息示例:

📰 Hacker News

**Why SQLite is Taking Over**

📝 SQLite 正在从嵌入式数据库扩展到更多应用场景。
文章分析了其在边缘计算、移动应用中的优势...

[🔗 阅读原文]

☕ 支持作者

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…