Rss Ai Reader
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for an RSS summarizer, but users should notice that it relies on an external GitHub install, third-party API credentials, notification webhooks, and an optional scheduled runner.
Before installing, review the referenced GitHub repository and dependencies, use restricted credentials or app passwords, test one-time runs before scheduled mode, and only configure feeds whose contents you are comfortable sending to the selected LLM and notification channels.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The reviewed skill text does not itself show malicious behavior, but the actual runnable code and dependencies would come from a remote source.
The user is directed to install and run code from an external, unpinned GitHub repository that is not included in the reviewed artifact set.
git clone https://github.com/BENZEMA216/rss-reader.git ~/rss-reader cd ~/rss-reader && pip install -r requirements.txt
Review the GitHub repository and dependency file before installing, and pin a trusted commit if using it for regular automation.
If these credentials are misconfigured or exposed, someone could spend API credits or send messages through your configured channels.
The configuration guide asks for API keys, webhook URLs, bot tokens, and an email password, which grant access to paid LLM services and notification channels.
export ANTHROPIC_API_KEY="sk-ant-xxx" export OPENAI_API_KEY="sk-xxx" export FEISHU_WEBHOOK="https://open.feishu.cn/open-apis/bot/v2/hook/xxx" export TELEGRAM_BOT_TOKEN="123456:ABC-xxx" export EMAIL_PASSWORD="app-password"
Use least-privilege bot/webhook credentials, prefer app-specific email passwords, keep secrets in environment variables, and rotate them if exposed.
RSS article content and generated summaries may leave your local environment and appear in the configured chat or email destinations.
The skill explicitly sends feed content to external LLM providers for summarization and then to external messaging/email channels.
支持 Claude/OpenAI 生成中文摘要,推送到飞书/Telegram/Email。
Avoid private or tokenized feed URLs unless you are comfortable sharing that content with the selected LLM and notification services.
Once started in scheduled mode, it may keep making API calls and posting summaries until the process is stopped.
The skill supports a scheduled run mode that can continue fetching, summarizing, and sending updates after it is started.
python main.py # 启动定时任务
Test with `--once` first, set conservative schedule and article limits, and run it under a process manager or shell where you can easily stop it.