RSS Feeds
v0.2.0RSS/Atom feed digest with optional CVE enrichment, Ghost CMS drafts, and channel notifications
⭐ 0· 512·6 current·6 all-time
byelvatis_com@homeofe
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code and tests: feed fetching (rss-parser), optional NVD CVE enrichment, Ghost Admin API publishing (HS256 JWT via jsonwebtoken), and notifications. Nothing in the code requests unrelated cloud credentials or system access. Minor incoherence: the registry metadata states 'No install spec — this is an instruction-only skill' while the bundle includes full source and package.json (with dependencies) and the SKILL.md instructs users to 'npm install @elvatis_com/openclaw-rss-feeds' — that mismatch is unexpected but not necessarily malicious.
Instruction Scope
SKILL.md runtime instructions are narrowly scoped to fetch RSS/Atom feeds, call NVD, produce HTML digests, optionally publish to Ghost using the provided adminKey, and send notifications. The instructions do not direct the agent to read unrelated files or arbitrary environment variables. Ghost and NVD integration details are documented and align with the code (e.g., HS256 JWT generation, NVD keyword searches and rate-limiting).
Install Mechanism
Registry metadata claims 'instruction-only' but the package contains source, package.json, and an npm install instruction in SKILL.md. There is no registry install spec provided to the platform; that inconsistency could cause unexpected install behavior (e.g., the platform might not automatically install dependencies). On the plus side, dependencies come from npm (jsonwebtoken, node-cron, rss-parser) — no downloads from arbitrary URLs or embedded obfuscated code were found in the provided files. Still, the missing/ambiguous install metadata is an operational risk and should be clarified before installing.
Credentials
The skill does not request environment variables or platform-level credentials. Sensitive secrets are handled as plugin configuration fields (ghost.adminKey, nvdApiKey) and the plugin schema marks them as sensitive. Those credentials are appropriate for the described integrations. There are no unexpected credentials or config paths requested.
Persistence & Privilege
Plugin is not always-enabled (always:false) and is user-invocable. It does not request elevated platform privileges or attempt to modify other skills' configurations. Autonomous invocation is allowed by default but not combined with other red flags here.
What to consider before installing
Things to check before installing:
- Confirm origin: verify the npm package name and publisher (@elvatis_com) and review the repository (catalog.yaml points to https://github.com/elvatis/openclaw-rss-feeds). Prefer packages with a published, signed release or reputable maintainer.
- Clarify install behavior with the platform: the registry lists this as 'instruction-only' but the bundle contains package.json and build output references; ask how the platform will install and build the plugin and its dependencies.
- Protect secrets: store Ghost adminKey and NVD API key only in plugin config protected by the platform (they are marked sensitive). Do not paste those keys into logs or public examples.
- Least privilege for Ghost: use a Ghost Admin key scoped to the single site and account you intend to publish to. Treat the adminKey as a sensitive long-lived credential.
- Network considerations: this plugin makes outbound HTTP calls (RSS feeds, NVD, Ghost, notification channels). If you run in a restricted environment, review allowed egress destinations and rate limits.
- If you want extra assurance: review the package contents on the npm registry (audit package tarball), run the plugin in an isolated environment first, and/or request the maintainer to add an explicit platform install spec so the installation steps are deterministic.
Overall: functionality is coherent, but the packaging/install metadata mismatch and the fact this plugin performs network operations and accepts secrets make a short review and source-origin check advisable before enabling it in production.Like a lobster shell, security has layers — review code before you run it.
elvatislatestopenclawplugin
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
@elvatis_com/openclaw-rss-feeds
OpenClaw plugin for RSS and Atom security digests with optional NVD CVE enrichment, Ghost CMS draft publishing, and channel notifications.
Installation
npm install @elvatis_com/openclaw-rss-feeds
Then enable the plugin in your OpenClaw plugin config.
Configuration
The plugin schema is defined in openclaw.plugin.json.
Example with all supported options:
{
"plugins": {
"openclaw-rss-feeds": {
"feeds": [
{
"id": "fortinet",
"name": "Fortinet PSIRT",
"url": "https://www.fortiguard.com/rss/ir.xml",
"keywords": ["fortinet", "fortigate", "fortios"],
"enrichCve": true,
"cvssThreshold": 7,
"tags": ["fortinet", "security", "digest"],
"docsUrlTemplate": "https://docs.fortinet.com/product/{product}/{version}/release-notes",
"productHighlightPattern": "Forti(?:Gate|OS|Analyzer|Manager|Client|Proxy)"
},
{
"id": "m365",
"name": "Microsoft 365 Message Center",
"url": "https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=&rss=1",
"keywords": ["security", "vulnerability", "defender"],
"enrichCve": true,
"cvssThreshold": 6.5,
"tags": ["microsoft-365", "security"]
},
{
"id": "bsi",
"name": "BSI CERT-Bund",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?rss",
"keywords": ["kritisch", "critical", "cve"],
"enrichCve": false,
"tags": ["bsi", "cert-bund"]
},
{
"id": "heise-security",
"name": "Heise Security",
"url": "https://www.heise.de/security/rss/news-atom.xml",
"keywords": ["cve", "security", "ransomware"],
"enrichCve": false,
"tags": ["heise", "security-news"]
}
],
"schedule": "0 9 1 * *",
"lookbackDays": 31,
"ghost": {
"url": "https://blog.example.com",
"adminKey": "<ghost-admin-key-id>:<ghost-admin-key-secret-hex>"
},
"notify": [
"whatsapp:<phone>",
"telegram:123456789"
],
"nvdApiKey": "<nvd-api-key-optional>"
}
}
}
Usage
Automatic run via cron schedule
If schedule is set, the plugin registers a scheduler and runs automatically.
Example:
0 9 1 * *runs at 09:00 on day 1 of every month0 8 * * 1runs every Monday at 08:00
Manual run via tool
You can trigger digest generation manually with the registered tool:
- Tool name:
rss_run_digest - Optional parameter:
dryRun: true
dryRun fetches and formats the digest but skips Ghost publishing and notifications.
CVE Enrichment
If a feed has enrichCve: true, the plugin calls the NVD CVE API and enriches the digest with:
- CVE ID
- CVSS score (filtered by
cvssThreshold) - CVE description
- Link to NVD details
Notes:
- CVE enrichment is keyword-driven via each feed's
keywords - Requests are rate-limited between keyword lookups
- NVD failures are handled as non-fatal, feed processing continues
Ghost CMS Integration
If ghost is configured, the digest is published as a draft post through the Ghost Admin API.
Implementation details:
- HS256 JWT is generated from
adminKey(id:secretformat) - API endpoint:
/ghost/api/admin/posts/?source=html - Digest is sent as HTML body
- Tags are merged from all configured feed
tags
If Ghost fails, digest generation still succeeds and the error is reported in result metadata and optional notifications.
Notifications
If notify contains targets (format channel:target), a summary notification is sent after the run.
Example targets:
whatsapp:<phone>telegram:123456789discord:#security
Development
npm install
npx tsc --noEmit
npm test
npm run build
License
MIT
Files
21 totalSelect a file
Select a file to preview.
Comments
Loading comments…