tech-news-digest
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tech-news-digest Version: 3.16.0 The tech-news-digest skill bundle is a well-structured and documented news aggregation system. It uses a series of Python scripts to fetch, merge, and score data from RSS feeds, Twitter/X, GitHub, Reddit, and web search APIs. While the scripts utilize high-risk capabilities such as shell execution (via subprocess for orchestration and email delivery) and extensive network access, these actions are strictly aligned with the stated purpose. The code demonstrates security awareness by including input sanitization (e.g., URL scheme validation in fetch-rss.py), explicit instructions to the agent to avoid shell interpolation of untrusted content (in digest-prompt.md), and the use of temporary files for sensitive operations like PDF generation and email construction.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If broad credentials are supplied, the agent may have more account authority than is necessary for reading public tech-news sources.
The skill can use optional provider credentials, including a GitHub token and GitHub App private key file, to access source APIs.
- name: GITHUB_TOKEN
required: false
description: GitHub token for higher API rate limits ... - name: GH_APP_KEY_FILE
required: false
description: Path to GitHub App private key PEM fileUse narrowly scoped, read-only or public-data credentials where possible, and avoid providing a GitHub App private key unless you specifically need that authentication path.
The agent can post generated content to a Discord channel or send it by email when configured to do so.
The skill instructs the agent to use messaging and email-delivery tools to publish the generated digest.
1. **Discord**: Send to `<DISCORD_CHANNEL_ID>` via `message` tool ... Send email with PDF attached using the `send-email.py` script
Confirm channel IDs, recipients, and delivery frequency before enabling delivery, especially for public or team channels.
If a schedule is created, the digest may continue running and posting until the user disables it.
The README presents recurring scheduled operation as a normal use case.
"Install tech-news-digest and send a daily digest to #tech-news every morning at 9am" ... "Your bot handles installation, configuration, scheduling, and delivery"
Only create recurring schedules after explicit user approval, and keep a clear way to review, pause, or delete the schedule.
Old archived digests can influence future deduplication and follow-up story selection.
The skill stores and reuses prior digest content as persistent context for future runs.
Read the most recent file from `<WORKSPACE>/archive/tech-news-digest/` to avoid repeats and follow up on developing stories ... Save to `<WORKSPACE>/archive/tech-news-digest/<MODE>-YYYY-MM-DD.md`.
Keep the archive directory scoped to this skill, and review or clear archived files if they contain mistakes or content you do not want reused.
Installing dependencies brings in third-party packages, which is normal for this Python-based workflow but should be done intentionally.
The README documents user-directed Python package installation for optional or enhanced functionality.
pip install -r requirements.txt ... pip install feedparser>=6.0.0 jsonschema>=4.0.0 ... pip install weasyprint
Install dependencies in a controlled Python environment and review the dependency list before adding optional packages such as PDF support.