Security audit
holo RSS Reader
Security checks across malware telemetry and agentic risk
Overview
This appears to be a real RSS reader that mostly does what it claims, but its metadata under-declares some runtime dependencies and optional configuration variables.
This skill looks internally consistent with an RSS reader. Before installing, understand that it will make network requests to GitHub/Gist, wechat2rss, and any feed/article URLs in your subscriptions, and it will cache content locally under `~/data/rss` by default. If you use a proxy for privacy, review the direct retry behavior. If you want to reduce SSRF-style risk from untrusted OPML/feed sources, configure the skill's restricted or allowlist security mode.
VirusTotal
62/62 vendors flagged this plugin as clean.
Static analysis
No suspicious patterns detected.
