RSS & Atom Feed Generator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: rss-generator-skill Version: 1.0.0 The skill bundle provides a framework for generating RSS feeds from web pages but is classified as suspicious due to the inclusion of direct shell execution instructions (curl/wget) in 'references/protocol-routing.md' and 'examples/vivianvoss-net.md'. These instructions lack input sanitization guidance, creating a risk of shell injection if the agent processes a malicious URL. Furthermore, the skill relies heavily on external endpoints at 'linkeddata.uriburner.com' for core functionality (WEB_FETCH, MCP, and LLM-mediated execution), which introduces third-party dependency risks and potential data proxying.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may fetch the requested page through an external fetch tool or local curl, and optional headers could expose sensitive authorization data if used carelessly.
The skill gives the agent broad web-fetching options for user-provided URLs, including optional headers. This is necessary for feed generation, but it is a capability users should understand.
Retrieve the target URL by invoking the `WEB_FETCH` function ... Use whichever available protocol applies — REST, MCP, OPAL, or curl. Required parameter: `url`. Optional: `headers`, `max_redirects`, `timeout_seconds`.
Use this skill mainly for public pages. Do not provide cookies, bearer tokens, or private intranet URLs unless you intentionally want them used for the fetch.
Target URLs and page content may be handled by linked external services rather than only by the local agent.
The skill can route page fetching through external services and agent/protocol endpoints. This is disclosed and related to the task, but it means URLs and fetched page content may pass through those services.
Default Order 1. `WEB_FETCH` function via URIBurner REST 2. MCP via streamable HTTP or SSE 3. Authenticated LLM-mediated execution via `chatPromptComplete` 4. OPAL Agent routing
Prefer trusted fetch routes and avoid using this skill for private or confidential pages unless you are comfortable with the selected provider handling that content.
If the authenticated route is used, an existing API key or OAuth-backed credential could be used to perform the fetch or mediated execution.
The skill mentions optional use of authenticated credentials for one routing path even though no credential is required by metadata. This appears optional and purpose-aligned, but should be explicit to the user at runtime.
Treat as requiring authentication unless a valid API key or OAuth-backed credential is available.
Before using authenticated routes, confirm which credential will be used, what service receives the request, and whether the page content is appropriate to send there.