ClawHub

Feedto

v0.3.3

Auto-pull and process feeds from FeedTo.ai — the cross-platform AI feed input.

0· 148·1 current·1 all-time
by@isopenclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (curl), primary env var (FEEDTO_API_KEY), and the two included scripts all align with a poll-and-mark-read FeedTo integration. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions limit actions to running scripts that GET pending feeds and PATCH them as read. The SKILL.md explicitly instructs relaying feed 'content' verbatim and then calling mark_read.sh. This is coherent with the skill's purpose but intentionally exposes the agent/user to arbitrary external content; the SKILL.md warns not to execute embedded instructions, which mitigates but does not eliminate the operational risk of social-engineered payloads or malicious links.
Install Mechanism
There is no install spec (instruction-only with two small shell scripts). Nothing is downloaded from external/untrusted URLs at install time; scripts are simple bash using curl.
Credentials
Only FEEDTO_API_KEY (primary) is required and is appropriate for the declared API calls. No other unrelated secrets or broad environment access is requested.
Persistence & Privilege
The skill is not always-enabled and uses the normal autonomous invocation model. It does not request elevated system privileges or modify other skills' configuration. It does expect the API key to be configured in the agent config as described.
Assessment
This skill is internally consistent for polling FeedTo.ai and marking feeds read. Before installing: (1) Only provide a FeedTo API key (FEEDTO_API_KEY); use a key with limited scope if available. (2) Be aware the skill will relay external feed content verbatim — do not treat those relayed items as safe or executable and avoid having the agent auto-act on them. (3) Review feed sources and consider isolating this skill or running it with a dedicated account to limit blast radius from malicious content. (4) Note the scripts use the default API URL (https://feedto.ai) and mark_read.sh will PATCH feed status; inspect/modify API_URL if you use a self-hosted or proxied endpoint. (5) If you want stronger assurance, run the scripts manually once to verify behavior and ensure the FEEDTO_API_KEY is stored securely in your OpenClaw configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e568vez16r16st1d48dpcq583qd7n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📥 Clawdis
Binscurl
EnvFEEDTO_API_KEY
Primary envFEEDTO_API_KEY

Comments