ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

news-content

v1.0.2

Input a news URL to efficiently extract the body, title, author, and date using a remote API.

0· 331·1 current·1 all-time
by@fonilye
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, required binary (node), and required env vars (EASYALPHA_API_KEY, NEWS_EXTRACTOR_SERVER_URL) align with a client that forwards a URL to a remote extractor and returns parsed content.
Instruction Scope
SKILL.md instructs the agent to run the included Node script which sends the target URL and API key to a remote server and prints the server response. The instructions do not attempt to read unrelated files or other credentials, but they do direct potentially sensitive data (the URL and API key) to a remote endpoint.
Install Mechanism
No install spec (instruction-only skill) and the only runtime requirement is node. The repository includes a small client script; nothing is downloaded from arbitrary URLs at install time.
!
Credentials
The skill requires only the API key and server URL, which is proportionate, but the default server is on a duckdns personal domain (easyalpha.duckdns.org) and the client will send the API key to that host. This combination increases risk if the backend is untrusted or compromised.
Persistence & Privilege
The skill does not request always:true, does not modify other skill or system configs, and has no persistent installation actions described.
What to consider before installing
This skill forwards the page URL and your EASYALPHA_API_KEY to a remote backend (default: easyalpha.duckdns.org). That default host is a personal/dynamic-domain (duckdns) and the client disables TLS certificate validation (rejectUnauthorized: false), which increases the chance your key or content could be intercepted or misused. Before installing: (1) only set EASYALPHA_API_KEY if you trust the backend operator; (2) prefer pointing NEWS_EXTRACTOR_SERVER_URL to a trusted/organizational server or run the extractor backend yourself; (3) remove or fix the rejectUnauthorized:false setting so TLS is properly validated; (4) review the backend's privacy policy or run local parsing if you cannot trust remote handling of page content or credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsnode
EnvEASYALPHA_API_KEY, NEWS_EXTRACTOR_SERVER_URL
latestvk97078nt85n7g425qwej0b36bh832ahj
331downloads
0stars
3versions
Updated 6h ago
v1.0.2
MIT-0
@fonilye
latest
Download

News Content Extractor (Pro Version)

This is a news content extraction Skill using a client-server architecture.

Features

  • Zero Local Dependencies: Uses Node.js for the client, so no complex Python libraries need to be installed locally.
  • Authentication: Core API calls are protected by EASYALPHA_API_KEY.
  • High-Performance Parsing: Powered by a remote backend service based on trafilatura.

Configuration Requirements

The following environment variables must be set to use this Skill:

  1. EASYALPHA_API_KEY: Your authentication token. Obtainable from: https://easyalpha.duckdns.org
  2. NEWS_EXTRACTOR_SERVER_URL: (Optional) The backend server address. Defaults to the production API: https://easyalpha.duckdns.org/api/v1/extract

Usage

User: "Scrape the content of this page: https://www.bbc.com/news/uk-12345678"

Agent Behavior:

  • Runs node scripts/extract_news.js https://www.bbc.com/news/uk-12345678
  • The script automatically includes the Token and sends the request to the server.
  • Parses and displays the results.

Comments

Loading comments...