tech-news-digest
v3.16.0Generate tech news digests with unified source model, quality scoring, and multi-format output. Six-source data collection from RSS feeds, Twitter/X KOLs, Gi...
⭐ 22· 7.3k·107 current·112 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: scripts fetch RSS, Twitter/X, GitHub, Reddit and web search, merge/deduplicate, score and render outputs (Discord/email/PDF). Declared required binary (python3) and optional tools (mail/msmtp/gog/weasyprint/gh) are appropriate for the described features. The large list of optional API keys (Twitter, Brave/Tavily, GitHub, etc.) is expected for multi-source collection.
Instruction Scope
SKILL.md instructs the agent to run the included Python pipeline scripts, read config defaults and workspace overlays, consult previous digests in the workspace archive for deduplication, and write temporary outputs to /tmp and the workspace archive. These actions are proportional to generating and delivering digests. The instructions explicitly avoid interpolating untrusted content into shell arguments and require static email subjects, which reduces some risk.
Install Mechanism
There is no automated install spec (instruction-only), which is lowest risk. The README suggests optional pip installs (requirements.txt / weasyprint) but installation is manual and not enforced by the skill metadata. No remote archive downloads or obscure installers are invoked by the skill metadata.
Credentials
No required secrets are declared; the listed optional environment variables (Twitter/X keys, Brave/Tavily keys, GitHub token/git app credentials) are directly related to fetching data from those services. The number of optional variables is large because the skill integrates many third-party data sources, which explains the footprint. The SKILL.md documents these variables and their purposes. (Note: GitHub App auto-token generation is only meaningful if GH app credentials are supplied.)
Persistence & Privilege
always:false and user-invocable: true. The skill writes its own archive under the workspace and temporary files under /tmp only; it does not request system-wide configuration changes or attempt to modify other skills. Autonomous invocation is allowed by platform default but not elevated by this skill.
Assessment
This skill appears to do what it says: aggregate multiple public feeds and produce digests. Before installing, review and decide: (1) which optional API keys you will provide — supply only keys you trust and scope them narrowly (rate-limit / read-only where possible); (2) set workspace/config overlays so the skill doesn't publish or archive content you consider private; (3) inspect send-email.py and delivery targets (Discord channel IDs, email addresses) to avoid accidental postings; (4) run the pipeline in debug mode (--debug / --verbose) and check intermediate outputs in a safe environment before scheduling automated deliveries. If you do not want outbound delivery, omit providing DELIVERY targets and email/channel IDs. Confidence in this assessment is high given the included code and explicit documentation; if you want a line-by-line security review of specific scripts (send-email.py, fetch-web.py, fetch-twitter.py), provide those files and I will flag any risky code patterns or network endpoints.Like a lobster shell, security has layers — review code before you run it.
latestvk975ntbqaqmccpx4em9hjyv40d83ncbd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3