news-daily

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This skill mostly matches its news-to-Feishu purpose, but its script disables HTTPS certificate checks while using a Feishu webhook, which could let a network attacker intercept the bot URL or alter sent news.

Review or patch the Python script before installing: remove the SSL certificate bypass, then use a dedicated Feishu webhook and configure scheduling only if you want automatic daily posts.

Static analysis

Static analysis findings are pending for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI07: Insecure Inter-Agent Communication

Medium

What this means

On an untrusted or compromised network, someone could impersonate the RSS or Feishu endpoint, alter the news being sent, or potentially observe the Feishu webhook URL used to post to the group.

Why it was flagged

The script uses a shared SSL context that disables certificate and hostname verification for external requests, including the Feishu webhook POST.

Skill content

ssl_context.check_hostname = False; ssl_context.verify_mode = ssl.CERT_NONE; ... urllib.request.urlopen(req, timeout=30, context=ssl_context)

Recommendation

Remove the custom no-verify SSL context and use Python's default certificate validation. If a feed has certificate problems, handle that feed explicitly rather than disabling verification globally.

#ASI03: Identity and Privilege Abuse

Low

What this means

Anyone who obtains the webhook URL may be able to post messages to the configured Feishu group.

Why it was flagged

The skill requires a Feishu bot webhook, which is a bearer-style posting credential for a group chat. This is expected for the stated purpose, though the registry metadata does not declare a primary credential.

Skill content

export NEWS_DAILY_WEBHOOK="你的Webhook地址" ... "webhook_url": "https://open.feishu.cn/open-apis/bot/v2/hook/xxx"

Recommendation

Use a dedicated Feishu bot/webhook for this skill, avoid committing config.json with the webhook, and rotate the webhook if it is exposed.

#ASI10: Rogue Agents

Low

What this means

If configured, the skill may keep posting daily news to the Feishu group until the cron or hook entry is removed.

Why it was flagged

The documentation supports a scheduled task that can continue sending news automatically after setup.

Skill content

openclaw cron add --name "新闻日报" --cron "0 8 * * *" --system-event "news-daily" --session main

Recommendation

Test manually first, configure scheduling only if desired, and keep a clear removal/disable procedure for the cron or hook.