WeWeRSS
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could help create or remove RSS source subscriptions on the configured WeWeRSS instance if the user follows or authorizes those commands.
The skill documents API calls that create and delete server-side WeWeRSS resources. This is aligned with subscription management, but users should confirm channel/source IDs before mutation.
curl -s -X POST "$WEWERSS_BASE_URL/api/open/channels" ... curl -s -X DELETE "$WEWERSS_BASE_URL/api/open/channels/$CHANNEL_ID/sources/$SOURCE_ID"
Use the mutating commands deliberately, verify CHANNEL_ID and SOURCE_ID values, and avoid deleting sources unless that is the intended action.
Installation metadata may not warn users that they must configure a WeWeRSS service endpoint before using the skill.
SKILL.md marks a base URL environment variable as required, while the registry metadata declares no required environment variables. This is a minor declaration mismatch rather than hidden behavior.
`WEWERSS_BASE_URL` — WeWeRSS 实例地址(必填)
Configure WEWERSS_BASE_URL only to a trusted WeWeRSS instance and consider updating metadata to declare this required setting.