News Digest
ReviewAudited by ClawScan on May 10, 2026.
Overview
News Digest appears purpose-aligned for scheduled news aggregation, but users should review its API-key handling, optional cron/hook automation, and package provenance before enabling it.
Install only if you want an agent-assisted scheduled news digest. Before enabling automation, verify the publisher/source, configure API keys carefully, run the cron trigger in dry-run mode, and enable the bootstrap hook only if you want reminders injected into agent sessions.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may have less assurance that the reviewed package identity matches the registry listing.
This internal metadata differs from the supplied registry metadata, which lists a different owner ID, slug, and version; combined with unknown source/homepage, this is a provenance ambiguity.
"ownerId": "kn70cjr952qdec1nx70zs6wefn7ynq2t", "slug": "news-digest", "version": "1.0.0"
Verify the package source or publisher before enabling scheduled runs or adding API keys.
If cron is configured, the digest workflow can run automatically without a manual prompt each time.
The cron helper can start an OpenClaw session automatically at scheduled times. This is disclosed and central to the skill, but it is persistent agent activity.
openclaw run --message "$MESSAGE" 2>&1 | tee -a "$LOG_DIR/cron.log"
Use the documented dry-run first, review crontab entries, monitor logs, and remove the cron entries if automatic pushes are not desired.
If the hook is enabled, an agent session started during a push window may be nudged to run the digest even during a broader session.
The optional bootstrap hook injects a virtual reminder into agent context during active slots, which can steer the agent toward running the digest workflow.
"You should execute the news digest push workflow now:"
Enable the hook only if you want this behavior, and treat the reminder as subordinate to the user's current instruction.
A modified or untrusted .env file could execute commands when the cron trigger runs.
The cron script sources the first matching .env file to load credentials. This is common cron plumbing, but shell-sourcing a file executes shell syntax in that file.
set -a
source "$candidate"
set +aKeep .env files user-owned and private, use simple KEY=VALUE lines, and do not place shell commands in them.
Anyone with these keys could use the associated provider accounts or quotas.
The skill requires provider API keys for Tavily and Xpoz/Twitter access. This is expected for the advertised integrations, but these credentials grant access to external services.
TAVILY_API_KEY=tvly-xxxxxxxxxxxxx XPOZ_API_KEY=your-xpoz-key
Use scoped keys where available, do not paste real keys into chats or logs, and prefer the provided masked env-check over commands that print full secrets.
Past feedback and push history can influence future digest behavior.
The workflow intentionally reuses stored feedback to adjust future filtering and summaries, creating local persistent context across runs.
node {baseDir}/scripts/query.mjs feedback --days 3
Review recent feedback and adjust your filtering/summarization strategy accordingly.Review or delete the skill's local data directory if old feedback should no longer affect future summaries.