Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
daily-news-brief
v1.0.0聚合并整理多源新闻,按科技/财经/AI/智能体分类排序,生成 Markdown 摘要并可定时执行。当用户提到"新闻"、"今日新闻"、"整理新闻"、"科技新闻"、"财经新闻"、"AI 新闻"、"智能体新闻"、"聚合新闻"或需要定时获取新闻摘要时使用。
⭐ 0· 184·0 current·0 all-time
by彬彬哦@binbin1213
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included code and workflows: it fetches RSS/web pages, classifies, sorts, generates Markdown, saves to ~/daily-news-brief and can push via the OpenClaw CLI. One minor mismatch: the registry metadata did not declare required binaries (node/openclaw) even though the workflows and code expect Node.js and may call the 'openclaw' CLI.
Instruction Scope
Runtime instructions and code only read/write under ~/.daily-news-brief and ~/daily-news-brief, fetch configured news URLs, and invoke OpenClaw CLI for pushes. They do not request unrelated system files, broad environment variables, or external hidden endpoints beyond the news sources and the OpenClaw CLI.
Install Mechanism
This is an instruction-only skill (no remote download installs). It relies on standard npm packages (rss-parser, cheerio) and Node.js; QuickStart instructs local npm install. No archived downloads or remote install URLs are present.
Credentials
The skill requests no environment variables or credentials in metadata. It stores configuration in ~/.daily-news-brief/config.json and optionally uses OpenClaw's channels/targets (managed by OpenClaw). This is proportional to its function; it does not ask for unrelated secrets.
Persistence & Privilege
always:false and the skill only writes its own config, logs, and generated Markdown under the user's home directories. It invokes the OpenClaw CLI but does not alter other skills or system-wide agent configs. Cron/task scheduling is performed via user-level tools as described.
Assessment
This skill appears to do what it says: aggregate RSS/web news, classify and save Markdown, and optionally push via OpenClaw. Before installing or enabling scheduled runs: 1) Ensure Node.js (18+) and the npm dependencies (rss-parser, cheerio, etc.) are installed; the registry metadata did not list required binaries but the code expects them. 2) Review and edit ~/.daily-news-brief/config.json to control news sources and push targets; verify push.targets/OpenClaw channel configuration so it only sends to destinations you trust. 3) Be aware the skill writes logs and Markdown to ~/.daily-news-brief and ~/daily-news-brief and may create/modify a cron/task entry if you set it up—confirm the cron/Task Scheduler changes. 4) The skill invokes the 'openclaw' CLI for delivery; if you do not want network pushes, disable push in the config or run with --no-push. 5) If you want further assurance, inspect the included tools/*.ts files (they are plain TypeScript) before running. Overall there are no obvious malicious behaviors, just the noted small metadata omission about required binaries.tools/FetchNews.ts:103
Shell command execution detected (child_process).
tools/FetchNews.ts:3
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9796h52pdj1yz8jy9xq1fwt31833xbk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.