RSS Feeds

The plugin appears to implement the RSS/CVE/Ghost features it describes, but there are inconsistencies around installation metadata and packaging that warrant caution before installing.

Things to check before installing: - Confirm origin: verify the npm package name and publisher (@elvatis_com) and review the repository (catalog.yaml points to https://github.com/elvatis/openclaw-rss-feeds). Prefer packages with a published, signed release or reputable maintainer. - Clarify install behavior with the platform: the registry lists this as 'instruction-only' but the bundle contains package.json and build output references; ask how the platform will install and build the plugin and its dependencies. - Protect secrets: store Ghost adminKey and NVD API key only in plugin config protected by the platform (they are marked sensitive). Do not paste those keys into logs or public examples. - Least privilege for Ghost: use a Ghost Admin key scoped to the single site and account you intend to publish to. Treat the adminKey as a sensitive long-lived credential. - Network considerations: this plugin makes outbound HTTP calls (RSS feeds, NVD, Ghost, notification channels). If you run in a restricted environment, review allowed egress destinations and rate limits. - If you want extra assurance: review the package contents on the npm registry (audit package tarball), run the plugin in an isolated environment first, and/or request the maintainer to add an explicit platform install spec so the installation steps are deterministic. Overall: functionality is coherent, but the packaging/install metadata mismatch and the fact this plugin performs network operations and accepts secrets make a short review and source-origin check advisable before enabling it in production.