Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, required binaries (node/npm), package.json, and the two scripts (news.mjs, search.mjs) are consistent with a small crypto news aggregator. However many advertised features (push/subscribe, sentiment analysis scripts, config/sources.json editing, caching/update scheduler) are mentioned but not implemented in the included files. The funding/sponsorship addresses are present in README/SKILL.md but are unrelated to runtime needs (not an env var).
Instruction Scope
SKILL.md and README reference multiple scripts that do not exist in the bundle (subscribe.mjs, sentiment.mjs, sentiment commands, scripts_news.mjs typos) and instruct editing config/sources.json though there is no config directory included. The main news script is mock-data only (it doesn't fetch RSS), while search.mjs does fetch RSS from hardcoded sources. The instructions are therefore inconsistent and overly broad compared to the packaged code.
Install Mechanism
The registry entry contains no install spec (lowest platform risk) but SKILL.md tells users to run `npx @gztanht/newspulse`. Running that outside this platform would download and run a package from the npm registry — a different code path than the embedded files. This is not inherently malicious but is a behavioral inconsistency and an operational risk if the remote package differs from the bundled code.
Credentials
The skill requests no environment variables or credentials and does not reference any sensitive config paths. The only potentially sensitive artifacts are blockchain sponsorship addresses in README/SKILL.md, which are informational and not used by the code.
Persistence & Privilege
Skill flags are normal (always:false, model invocation enabled). It does not request permanent presence or modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a simple crypto news tool, but there are multiple mismatches between what the README/SKILL.md promises and the code included: subscription/sentiment scripts, a config folder and caching/scheduling are advertised but missing; the main news script uses mock data rather than fetching feeds, while the search script does fetch RSS from hardcoded sources. Before installing or running: 1) Don't run `npx @gztanht/newspulse` blindly — that will fetch remote code which may differ from these files; prefer inspecting the package on npm/GitHub first. 2) Verify the owner/repository and review the published package contents (and any postinstall scripts) if you intend to use npx. 3) If you want the advertised features (subscribe, sentiment), ask the author for the missing scripts or a trustworthy source. 4) Run any untrusted code in a sandbox/container and avoid providing credentials or secrets. These inconsistencies are suspicious but not conclusive evidence of malicious intent.Like a lobster shell, security has layers — review code before you run it.
latestvk9729gmwb91aey3fj9xvqm5r0n82cqxa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📰 Clawdis
Binsnpm, node