Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Digest Builder
v1.0.0将聚合池中的原始候选内容转换为可判断的 Digest:优先从 FreshRSS 的未读列表经 Google Reader API 拉取候选,再执行 URL 去重、相似事件聚类、正文抓取检查、噪音过滤、摘要生成与初步排序。用于需要把一批原始 feed 条目或 FreshRSS 未读条目整理成结构化候选文档的场景。
⭐ 0· 64·0 current·0 all-time
by阿晨聊技术@gcdd1993
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, SKILL.md and included scripts consistently implement: fetching FreshRSS unread via the Google Reader API, URL deduplication, clustering, body fetching, noise filtering, summary generation and output to local files. The requested functionality matches the stated purpose.
Instruction Scope
SKILL.md clearly restricts scope to FreshRSS fetch → slice → dedupe → summarize and explicitly says not to auto-mark items read. Instructions reference only FreshRSS endpoints, local files, and typical processing steps; they do not ask to read unrelated system files or to transmit data to unknown external endpoints.
Install Mechanism
There is no install spec and all code is plain Python scripts included in the bundle. No external download/installation from untrusted URLs is present. This is the lowest-risk install pattern for a code-containing skill.
Credentials
The registry metadata declares no required environment variables or primary credential, but the SKILL.md and scripts explicitly expect FreshRSS configuration and an API password (FRESHRSS_BASE_URL, FRESHRSS_USERNAME, FRESHRSS_API_PASSWORD or a config JSON including api_password). That mismatch is problematic: the skill will fail without these secrets, and the metadata does not warn users or request them up front.
Persistence & Privilege
The skill does not request always:true, does not persistently modify other skills or system settings, and by default does not mark items as read. A separate mark_freshrss_read script exists but only runs if explicitly invoked; the SKILL.md forbids automatic back-writing of read state by default.
What to consider before installing
This skill appears to do what it says (fetch FreshRSS unread items and build a deduplicated digest) but the registry failed to declare the FreshRSS credentials it needs. Before installing or running: (1) review the included Python scripts yourself or with a developer you trust; (2) expect to provide FRESHRSS_BASE_URL, FRESHRSS_USERNAME and FRESHRSS_API_PASSWORD (or a config file containing api_password) — do not supply your main login password if FreshRSS supports an API-specific password; (3) run the scripts in an isolated environment (container/VM) since they will make outbound HTTP requests to your FreshRSS instance and to article URLs to fetch bodies; (4) note that a mark-as-read helper exists but is not run by default — only run it if you explicitly want the skill to change your FreshRSS state; (5) if you need the registry to enforce least privilege, ask the publisher to update metadata to declare the required env vars and describe exactly what network calls the skill makes.Like a lobster shell, security has layers — review code before you run it.
latestvk9783pzd0n4wzh44aypzdanzy183txqd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.