ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Japanese News Briefing 日本語でニュースまとめ

v1.0.0

日本語でイラン・イスラエル情勢、米国・日本経済、東京・NYの天気を1日4回簡潔にまとめて配信します。

0· 60·0 current·0 all-time
by@harinezumi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Japanese news briefing 4x/day) match the instructions: uses a web-search plugin and weather APIs to collect news and weather. No unrelated binaries, environment variables, or unusual installs are requested.
Instruction Scope
SKILL.md confines itself to collecting web news and weather and formatting briefings. It requires the ollama_web_search plugin and wttr.in/Open-Meteo for weather — expected for a news skill. However, the skill is designed to run automatically four times per day and will perform outbound web requests; ensure the web-search plugin is trusted and that fetched sources are acceptable. Also the SKILL.md contained a pre-scan flag for unicode control characters which could hide or alter instructions — inspect the raw file for hidden content before enabling automatic runs.
Install Mechanism
Instruction-only skill with no install spec and no code to write to disk. Lowest-risk install footprint.
Credentials
No environment variables, credentials, or config paths are requested. The declared prerequisites (OpenClaw 2026.3+, a web-search plugin, and a weather API) are proportional to a news/weather briefing skill.
Persistence & Privilege
The skill is intended to be scheduled/autonomously invoked (four times daily). always:false (normal). Because it will autonomously fetch external web content on a schedule, consider enabling it only after verifying the SKILL.md integrity and trusting the web-search plugin.
Scan Findings in Context
[unicode-control-chars] unexpected: The static scan detected Unicode control characters in SKILL.md. These are not expected for a simple README/instructions and can be used to hide or manipulate text (prompt-injection technique). Recommend a manual, byte-level review of SKILL.md to confirm there are no hidden instructions or obfuscated content before enabling automatic execution.
What to consider before installing
This skill appears to do what it claims (collect news and weather and summarize in Japanese) and asks for no credentials or installs, which is good. However, the SKILL.md contained unicode control characters flagged by the scanner — that could be benign formatting or an attempt to hide instructions. Before installing or enabling scheduled/autonomous runs: 1) open SKILL.md in a hex/byte viewer or a trusted text editor and search for invisible Unicode control characters (e.g., U+202A..U+202E, U+200B, etc.); 2) verify the ollama_web_search plugin you must enable is from a trusted source (it will fetch arbitrary web pages); 3) keep the skill disabled from automatic scheduling until you confirm the file contents and decide which sites are acceptable to be fetched; 4) if unsure, ask the author for the official repository link and a signed release or check the GitHub repo mentioned in README.md for matching files. If you want to be extra cautious, run the skill in a restricted/sandboxed agent instance or disable autonomous invocation and trigger it manually after inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk974gbxya0mds79t5t41kndr7s84cy4y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments