Non-Annoying News
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: non-annoying-news Version: 0.2.1 The skill bundle is a well-structured tool for generating personalized newspapers from various digital signals. While it possesses high-risk capabilities such as task scheduling (cron) and processing sensitive data (browser bookmarks, X/Twitter bookmarks), it includes robust safety instructions and a dedicated privacy-focused script (`scripts/qa_text.py`) designed to detect and block the inclusion of local file paths or private identifiers in the output. The instructions in `SKILL.md` and `references/onboarding.md` explicitly mandate user consent for automation and warn against requesting credentials in chat, demonstrating a clear focus on privacy and user control rather than malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Enabling these adapters could let the agent read private saved items, bookmarks, newsletter content, or app data to build the digest.
The skill may use existing account, browser, read-later, or mailbox integrations. This is purpose-aligned for a personal digest and is constrained to already configured local tools, but it still touches private account-adjacent data.
Use only when already configured locally: X/Twitter bookmarks via local CLI/API/MCP/export; Browser reading list or browser bookmarks via local browser profile/export; Read-later apps via configured CLI/MCP/API; Newsletter/mailbox search via configured mail tools.
Enable only the specific adapters you want, prefer exports or pasted URLs when possible, and do not paste tokens, cookies, or secrets into chat.
If you approve a cron or scheduled job, the digest workflow may continue running in the future using the configured sources and delivery target.
The skill supports recurring scheduled operation, which is persistent future behavior, but the instructions explicitly require user confirmation before scheduling.
A cron or scheduled job changes future behavior. Ask explicitly before creating one.
Approve scheduling only after reviewing the cadence, source set, delivery target, and whether external sending is allowed without per-issue approval.
A renderer install could add local dependencies and browser binaries to the environment.
Rendering PDFs may require installing or using an external browser-rendering dependency. This is central to the skill's PDF output purpose, but users should be aware before allowing package installation.
If the browser renderer is missing, use Playwright/Chromium if installable.
Use an existing trusted renderer when available, and approve any Playwright/Chromium installation explicitly.
Local config or source manifests may reveal your interests, preferred sources, delivery channels, and recurring reading habits.
The skill relies on persistent local configuration and source context for personalization and recurring runs. The artifacts include good privacy guidance, but the stored preferences and source lists are still sensitive.
Keep user-specific configuration outside the public skill directory... Never store tokens, cookies, private handles, channel IDs, or personal preferences inside the reusable public skill.
Keep configs and generated manifests in a private workspace, review them before recurring use, and avoid storing secrets or unnecessary personal identifiers.