Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
外贸资讯聚合器 (多源 RSS + 翻译 + 飞书推送)
v2.3.3自动抓取外贸相关多源RSS新闻,翻译标题生成中文Markdown报告,支持飞书机器人推送更新。
⭐ 0· 109·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (multi-source RSS, translation, Feishu push) aligns with the included scripts: daily-news.sh fetches RSS and calls Baidu, classify_news.py builds a Feishu card, trend_analysis.py generates weekly stats. However the registry metadata at the top claims no required env vars/binaries whereas SKILL.md and clawhub.json declare BAIDU_APPID/BAIDU_SECRET and command-line tools (curl, jq, md5sum, xmlstarlet). Also the Python scripts need Python and the 'requests' library but that dependency is not declared.
Instruction Scope
SKILL.md instructs setting BAIDU credentials and optionally FEISHU_WEBHOOK and running the scripts — that fits the task. But trend_analysis.py will exit if FEISHU_WEBHOOK is unset (it treats the webhook as required), contradicting SKILL.md's 'optional' label. classify_news.py also attempts to POST to the webhook without checking it's non-empty. The scripts read/write files under the user's home (~/trade-news.md, ~/.openclaw/workspace/history) — expected for this use but worth noting.
Install Mechanism
This is instruction-only (no install spec), lowering install risk. But the runtime requirements are incomplete: the shell script lists system binaries (curl, jq, md5sum, xmlstarlet) yet the package manifest and SKILL.md omit Python and the Python 'requests' package required by the .py files. The absence of an explicit install step or dependency install is a usability/consistency issue.
Credentials
Requested secrets (BAIDU_APPID, BAIDU_SECRET) are proportional to the translation feature. FEISHU_WEBHOOK is a reasonable optional integration. However there are contradictory signals: the top-level registry metadata says 'Required env vars: none', clawhub.json lists the three env vars, SKILL.md marks FEISHU_WEBHOOK optional, but trend_analysis.py treats FEISHU_WEBHOOK as required. These inconsistencies increase risk of misconfiguration and accidental leaks if users set envs expecting different behavior.
Persistence & Privilege
The skill does not request elevated privileges or 'always: true'. It writes user-visible files in the user's home directory (~/trade-news.md and ~/.openclaw/workspace/history) and will run Python scripts; this is standard for a user-level RSS aggregation tool. Nothing modifies other skills or system-wide agent settings.
What to consider before installing
This skill appears to implement what it claims, but several inconsistencies and missing runtime declarations mean you should be cautious before installing. Specifically: (1) the code requires BAIDU_APPID and BAIDU_SECRET (translation) and will use a FEISHU_WEBHOOK to post content — confirm you trust the webhook destination; (2) the package/registry metadata incorrectly lists no required env vars while the scripts do require secrets — fix or verify env settings before running; (3) the Python scripts require Python 3 and the 'requests' library (not declared) — install those in a controlled environment (virtualenv) first; (4) trend_analysis.py currently will fail unless FEISHU_WEBHOOK is set despite SKILL.md marking it optional; (5) the scripts write files to your home (~/trade-news.md and ~/.openclaw/workspace/history) — review and, if desired, run in an isolated account or container. If you plan to use it, ask the author to correct the manifest (declare Python + requests, clarify FEISHU_WEBHOOK requirement) or run the scripts in a sandbox until those inconsistencies are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk979b9bssjfzm7y27gn5w7cdsd84zec0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.