Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
news-daily
v1.0.0获取新闻热榜(国内、国际、科技、AI)并发送到飞书。不依赖本地工程,直接从 RSS 获取数据。
⭐ 0· 301·3 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, SKILL.md, README, and the Python script all consistently implement RSS aggregation and posting formatted cards to a Feishu webhook. Required env/config (NEWS_DAILY_WEBHOOK or scripts/config.json) aligns with that purpose; no unrelated services or credentials are requested.
Instruction Scope
Runtime instructions and code stay within expected scope (fetch RSS feeds from listed sources, format, and POST to a Feishu webhook). However, the bundled script explicitly disables SSL certificate verification (ssl_context.verify_mode = ssl.CERT_NONE), which weakens TLS and can allow MITM attacks when fetching feeds or posting to the webhook. The SKILL.md also instructs editing OpenClaw config to add hooks, which modifies system-level agent config (expected for scheduling but worth noting).
Install Mechanism
No install spec (instruction-only skill) and only lightweight files are included. The user is expected to copy the skill into the OpenClaw workspace; nothing is downloaded from arbitrary URLs or installed automatically.
Credentials
Only one sensitive runtime item is used: the Feishu webhook (via NEWS_DAILY_WEBHOOK or config.json). That is proportional to the stated purpose. The skill does not request unrelated credentials or other environment secrets.
Persistence & Privilege
always:false and user-invocable means normal privileges. The SKILL.md suggests enabling OpenClaw hooks/cron entries (which will change platform configuration to schedule the job) — this is expected for automated runs but is a system-level change the user should approve.
Assessment
This skill appears to do exactly what it claims: aggregate RSS feeds and post a formatted message to a Feishu webhook. Before installing, verify you trust the target Feishu webhook and the group it posts into (webhooks can receive any content the script sends). Inspect or modify the script to remove the insecure TLS behavior: it disables SSL certificate verification (ssl.CERT_NONE) — change to use the default SSL context to avoid MITM risk. If you enable automatic scheduling, be aware OpenClaw config changes will be applied; back up your OpenClaw config first. Run the script in a restricted environment if you are cautious, and keep the webhook URL secret (store in an environment variable rather than a checked-in config file).Like a lobster shell, security has layers — review code before you run it.
dailyvk974rwxae7e5e79tb8d5yqh7jx82fckzfeishuvk974rwxae7e5e79tb8d5yqh7jx82fckzlatestvk974rwxae7e5e79tb8d5yqh7jx82fckznewsvk974rwxae7e5e79tb8d5yqh7jx82fckzrssvk974rwxae7e5e79tb8d5yqh7jx82fckz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.