Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
News Noon Digest - 新闻午报
v1.0.0每日中午12点自动推送新闻午报到QQ和飞书,包含全球热点、科技动态、财经要闻
⭐ 0· 38·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (daily noon news pushed to QQ and Feishu) matches the code and SKILL.md: the script formats a digest and posts to a Feishu webhook and indicates QQ push via cron. However, the README/SKILL.md say it "自动抓取全球新闻" (automatically fetch news), while the included script uses hardcoded example items rather than performing real network scraping — this is a functional mismatch that could mislead users.
Instruction Scope
SKILL.md instructs setting FEISHU_WEBHOOK_URL and optionally QQ_ENABLED, adding an OpenClaw cron entry, and running the included Python script. The instructions reference only the script and the webhook; they do not ask the agent to read unrelated files, credentials, or system paths.
Install Mechanism
No install spec (instruction-only) and only a single small Python script are included. Nothing is downloaded or written by an installer at install time, which keeps risk low.
Credentials
SKILL.md and the script require a FEISHU_WEBHOOK_URL (sensitive webhook URL) and accept QQ_ENABLED, but the registry metadata lists no required env vars or primary credential — this is an inconsistency. The webhook is a secret that grants posting ability to a Feishu bot/space, which is proportionate to the feature but should be clearly declared in the skill's metadata and documentation.
Persistence & Privilege
The skill does not request always:true or system-wide config changes. It runs as a user-invoked/cron job and does not modify other skills or request elevated persistence.
What to consider before installing
This skill's purpose (posting a noon digest to Feishu/QQ) is coherent, but take these precautions before installing: 1) Confirm the skill metadata declares the FEISHU_WEBHOOK_URL requirement — currently the registry shows none but SKILL.md and the script expect it. Treat the webhook URL as a secret: only give a webhook with minimal scope and be prepared to rotate it if abused. 2) Note the description promises "automatic fetching" of global news, but the bundled script currently uses hardcoded example items rather than fetching live feeds; if you expect real news aggregation, inspect or modify the fetch_* functions before use. 3) Test in a safe environment or a non-production Feishu group to verify behavior. 4) Because the repository/source is unknown, prefer to review or vendor-lock the code locally (or reimplement network fetching explicitly) before granting any webhook credentials. If the author later updates the skill to perform live web requests, re-review network endpoints and any new environment variables.Like a lobster shell, security has layers — review code before you run it.
latestvk974rnrxvqcpcmdk1srqg7yx9183x4e9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.