Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Intel Daily
v1.0.0AI Product Manager daily intelligence digest. Fetches news from 16+ curated RSS sources across tech media, AI labs, research papers, developer communities, a...
⭐ 0· 197·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (RSS-based AI news digest, Chinese translation, dedupe, date filtering) matches the included script and SKILL.md. The script fetches the listed feeds, filters by date, deduplicates, translates, caches seen items, and writes a Markdown digest—these are coherent with the stated purpose.
Instruction Scope
SKILL.md only instructs to create a venv, pip install feedparser and googletrans, and run the provided script. The script only reads/writes files in its directory (seen_articles.json, latest_digest.md), fetches public RSS feeds and translation endpoints, and prints the digest. It does not access unrelated system config or environment variables. However, the SKILL.md claims use of “Google Translate API (no config)”, while the code uses the unofficial googletrans library (which performs HTTP requests to Google Translate endpoints), so network calls go beyond RSS sources and may be subject to blocking, rate limits, or different privacy/ToS implications.
Install Mechanism
No packaged install in the registry; installation is instruction-only and uses pip to install feedparser and googletrans==4.0.0-rc1 into a local venv. Using PyPI packages is expected here, but googletrans is an unofficial client (4.0.0-rc1) and can be fragile or perform scraping-like requests. This is moderate risk relative to installing only vetted system packages.
Credentials
The skill declares no required credentials or env vars, and the code does not read secrets. That is proportional. But SKILL.md's wording (“Google Translate API, no config”) is misleading—no Google Cloud API key is used; instead the unofficial googletrans is used. This is a potential surprise for users expecting an officially authenticated API and has reliability/ToS implications.
Persistence & Privilege
The skill is not forced-always, does not request elevated agent privileges, and only writes two local files in its own directory (seen_articles.json and latest_digest.md). It does not modify other skills or system-wide config.
What to consider before installing
This skill appears to implement the advertised RSS-to-Chinese-digest functionality, but review before running: (1) The SKILL.md says “Google Translate API” but the code uses the unofficial googletrans package (no API key) which performs HTTP calls to Google's translate endpoints—this can break, be rate-limited, or violate terms. (2) The code awaits translator.translate (an apparent async/sync mismatch) and may crash; expect runtime bugs. (3) The script installs a third-party PyPI package (googletrans==4.0.0-rc1) — if you care about supply-chain risk, inspect that package or replace it with an official client (e.g., google-cloud-translate with a proper API key) or another vetted translator. (4) The script writes seen_articles.json and latest_digest.md into the skill folder and fetches many external RSS/translation endpoints; run it in an isolated environment (sandbox or container), verify network policy, and check the googletrans package source and recent security reports before trusting it with sensitive environments. If you only want to try it, run it locally in a disposable venv and inspect network traffic and package contents first.Like a lobster shell, security has layers — review code before you run it.
latestvk970qeqsv1bx84780vnhsse72s82qtrd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.