Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawFeed 新闻推送
v1.0.0ClawFeed 新闻摘要飞书推送。定时抓取全球新闻(BBC · CNBC · Reuters · Al Jazeera)→ AI 生成中文摘要 → 推送至飞书。 触发条件:(1) 用户要求推送新闻 (2) 测试推送 (3) 配置定时任务
⭐ 0· 146·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose is reasonable (fetch news → summarize → push to Feishu), but the SKILL.md references resources not declared in the registry metadata: a MiniMax API key, a running ClawFeed service on localhost:8767, and an existing openclaw CLI installation. The skill metadata lists no required env vars or credentials, yet the instructions require at least an AI API key and Feishu access — this mismatch is disproportionate and incoherent.
Instruction Scope
The runtime instructions reference specific files and paths in the user's home (~/.openclaw/workspace/scripts/...), show a crontab entry already registered, and instruct executing local scripts. They also note a default hardcoded Feishu target ID (user:ou_30597b1b45c505faac65f11983d1276d) which could cause messages to be sent to an unexpected recipient. The instructions assume existence of local services and files that are not bundled or installed by the skill and do not specify how secrets are provided or stored.
Install Mechanism
There is no install spec (instruction-only), which is the lowest installer risk. However the SKILL.md presumes pre-existing installed components (openclaw CLI, local ClawFeed service) and scheduled tasks, which the registry does not manage or verify.
Credentials
The SKILL.md explicitly mentions a 'MiniMax API Key' and requires pushing to Feishu (which normally needs a webhook/token or SDK credentials), yet the registry lists no required env vars or primary credential. That omission is a red flag: the skill needs secrets but does not declare them, and the method/location for storing/reading those secrets is unspecified.
Persistence & Privilege
always:false (good). But the instructions reference an existing crontab entry and scripts in ~/.openclaw/workspace, implying persistent scheduled behavior outside the skill bundle. The skill itself does not request system-wide privileges in metadata, but the documented behavior (periodic pushes) depends on previously installed scheduled tasks — confirm who set those up and what they do.
What to consider before installing
Do not install or run this skill without manual verification. Ask the author for: (1) exact list of required credentials (MiniMax API key and Feishu token/webhook) and where they are expected to be stored; (2) the source code for the scripts referenced (~/.openclaw/workspace/scripts/*) and confirmation that the crontab entry is legitimate. Before running, inspect the scripts and crontab yourself to confirm the push target (change the hardcoded Feishu ID), ensure the MiniMax key and any Feishu credentials are provided securely (not accidentally in plaintext files), and verify the local ClawFeed service and openclaw CLI are from trusted sources. If you cannot review the scripts, do not enable scheduled pushes — run things manually under controlled conditions first.Like a lobster shell, security has layers — review code before you run it.
latestvk973mqm9ac871n93kej4v9b41h839yes
License
MIT-0
Free to use, modify, and redistribute. No attribution required.