全网新闻聚合助手
PassAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent for scheduled news aggregation and Feishu delivery, but users should notice that it can use a Feishu bot token, make external web requests, and keep running on a cron schedule when started.
Before installing, confirm you are comfortable with the configured news source URLs being fetched and the resulting digest being sent to the configured Feishu chat. Use a dedicated Feishu bot token, keep it private, and only start the scheduler if you want recurring automatic pushes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured, the bot token lets the skill post the generated digest to the selected Feishu conversation.
The skill can use a Feishu bot token from the environment to authenticate a message-send request to Feishu. This fits the documented Feishu push feature, but it grants posting authority for the configured bot/chat.
'Authorization': `Bearer ${process.env.FEISHU_BOT_TOKEN || ''}`Use a dedicated Feishu bot/token with only the needed chat access, keep the token out of logs and shared files, and verify the configured `chat_id` before running push or scheduler commands.
The skill will fetch each configured source and may include extracted titles/links in the digest.
The fetcher makes HTTP requests to URLs from the user configuration. This is central to news aggregation, but the configured sources determine what external or internal URLs are contacted.
const response = await axios.get(source.url, { timeout: 15000, headers: { 'User-Agent': 'Mozilla/5.0 (compatible; NewsAggregator/1.0)' } });Only add trusted public news/RSS sources to `config.json`; avoid private intranet, authenticated, or sensitive URLs unless you intentionally want their content summarized and possibly sent to Feishu.
If left running, the skill can continue fetching news and attempting Feishu pushes at the configured times.
The scheduler starts a cron job that repeatedly runs the news aggregation and push workflow. This is disclosed by the skill and requires the user to start the scheduler, but it is persistent while the process remains running.
const job = cron.schedule(schedule, async () => { ... await main(); ... }, { scheduled: true, timezone: 'UTC' });Run the scheduler only when you want recurring delivery, review the cron expression, and stop it with Ctrl+C or your process manager when no longer needed.
Installing dependencies runs the normal npm package resolution/install process for this Node.js skill.
The skill relies on npm dependencies installed manually, while the registry install spec lists no automated install requirements. The included package-lock pins resolved packages, so this is mainly a setup/provenance notice.
npm install
Install from a trusted skill package, keep the included lockfile, and review dependency changes before updating.