News Digest

This skill largely does what it says (fetches from Tavily, Hacker News, and optionally Twitter) and stores results locally, but two things merit attention before installing or enabling it: 1) Delivery gap: The SKILL.md promises delivery via Feishu/Telegram, yet there are no required environment variables or clear delivery scripts for those services in the inspected files. Ask the author or inspect the omitted files to confirm how push delivery is implemented and where to provide Feishu/Telegram credentials. If delivery runs via the agent's own connectors, make sure you understand which account/channel will be used. 2) .env sourcing and secret exposure: The cron-trigger.sh script sources an .env file and uses set -a (exports all variables). If your workspace ~/.env or ~/.openclaw/workspace/.env contains other credentials, those will be exported into the environment when cron runs this script and could be visible to the spawned OpenClaw session and to logs. Recommendations: - Keep the .env used by this skill minimal (only the keys needed for this skill), or use a dedicated .env for the skill root. - Run cron-trigger.sh --dry-run to confirm what it will do and which env file it picks up. - Inspect store-push and any delivery-related scripts (the audit omitted a few files) to ensure they don't transmit stored data or logs to unexpected endpoints. Other small points to check: the XPOZ/Twitter integration seems to rely on an external tool (xpoz_search_tweets) not bundled here — confirm you have or will provide that tool and its credentials; env-check prints a four-character prefix of TAVILY_API_KEY to stdout (may end up in logs) — if you consider that sensitive, avoid running env-check in shared log locations. Because these issues are about how secrets and delivery are handled (not obviously malicious code), treat the package as suspicious until you validate the delivery mechanism and restrict which .env is loaded.