ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dailynewsreport

v1.0.2

定时抓取并整合多源新闻,智能去重分类,改写成行业研报级一句话新闻,输出结构化日报并支持Telegram推送。

1· 275·2 current·2 all-time
by@frankle1117
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe a news aggregator + Telegram delivery and the code implements fetchers, normalizer, deduper, classifier, rewriter, ranker, scheduler, and a Telegram deliverer — all consistent with the stated purpose. Permissions like internet and file-system read/write are reasonable for this functionality. Minor oddities: package.json lists a 'crypto' npm dependency even though Node provides crypto built-in, and some upload docs reference a local developer path (/Users/lezi) which appears to be leftover developer instructions.
!
Instruction Scope
SKILL.md and code keep to the news pipeline, but the TelegramDeliverer uses child_process.exec to run a curl command built by interpolating the bot token and chat id directly into a shell string. Bot token/chat id are configurable values; inserting them without shell-escaping can lead to shell injection if those values are malicious or incorrectly formatted. No other instructions request broad system data, but install.sh requires OPENCLAW_SKILLS_DIR to be set which is expected for installation.
Install Mechanism
There is no external download/install spec; the package is instruction/code-based and uses an install.sh that copies files into the platform skills directory. No remote arbitrary URL downloads or archive extraction were observed. This is lower risk from an install-source perspective.
Credentials
The skill declares permission 'env:read' in skill.json but the runtime code does not read process.env for credentials (install.sh checks OPENCLAW_SKILLS_DIR during install). Telegram credentials are intended to be set via skill config. Requesting env:read may be unnecessary. Requested config keys for Telegram are proportionate, however file-system write/read permissions are broad but plausibly needed for config and local caching/logs.
Persistence & Privilege
The skill is not always-enabled and has normal autonomous invocation settings. It does not attempt to modify other skills or global agent settings. Its scheduler registers tasks inside its own scope. No excessive persistence privileges were requested beyond typical file-system and network access.
Scan Findings in Context
[child_process.exec_curl_with_unescaped_inputs] unexpected: The TelegramDeliverer.builds a curl command string containing the botToken and chatId and executes it via child_process.exec. Using an HTTP library (axios) would be expected; invoking a shell with interpolated config fields poses a shell-injection risk if those fields are not strictly validated/escaped.
[skill_permissions_env_read] unexpected: skill.json declares 'env:read' permission though the codebase does not otherwise read environment variables for credentials. The install script references OPENCLAW_SKILLS_DIR env var, which explains some env usage, but env:read is broader than appears necessary.
[listing_crypto_dependency] expected: package.json lists an external 'crypto' dependency even though Node.js includes crypto; this is likely benign or a packaging oversight but is unusual.
What to consider before installing
This skill is functionally coherent for collecting and pushing news, but exercise caution before installing: - Telegram send uses a shell-invoked curl command that directly interpolates your bot token and chat id into a shell string. If those config values are ever attacker-controlled or contain unexpected characters, they could allow shell injection. Prefer a version that uses a proper HTTP client (axios is already a dependency) or ensure tokens are strictly validated/escaped. - The skill requests env:read and file-system read/write permissions. Confirm the platform's sandboxing and that only the skill's own config is writable; avoid supplying other sensitive environment variables to this skill. - The installer script expects OPENCLAW_SKILLS_DIR to be set and the upload docs reference a local developer path — treat those as developer leftovers, not instructions to expose local files. Do not point the skill at directories containing sensitive data. - Review and set Telegram credentials only after confirming they are stored securely by your OpenClaw platform (do not paste them into shared logs). Consider running the skill in test mode first (daily-news-brief test) to verify behavior before enabling scheduled runs. If you want higher assurance, request a small change from the author: replace child_process.exec + curl with a safe axios POST that sends JSON to the Telegram API and ensure all user-configurable strings are validated/escaped. With that change and removal/justification of unnecessary env reading, this would look coherent and lower-risk.
deliverer/telegram.ts:138
Shell command execution detected (child_process).
!
index.ts:53
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk971h93389f3gbrj3xd4ez78ss82k2w1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments