ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Sum Lite

v1.0.0

轻量新闻日报 skill。触发条件:用户说"今日新闻"、"新闻日报"、"生成今日新闻"。主打快速、轻量、一气呵成。

0· 72·0 current·0 all-time
byLeonard@liliangjie91

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for liliangjie91/news-sum-lite.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "News Sum Lite" (liliangjie91/news-sum-lite) from ClawHub.
Skill page: https://clawhub.ai/liliangjie91/news-sum-lite
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install news-sum-lite

ClawHub CLI

Package manager switcher

npx clawhub@latest install news-sum-lite
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The described purpose (generate and send a daily news brief) matches the actions in SKILL.md (search, summarize, save, email). However the instructions depend on external search tools (web_search, tavily_search) and command-line tools (npx marked, gog gmail send) that are not declared in the metadata. That mismatch (instructions requiring binaries/credentials that the registry metadata does not list) is disproportionate to the stated lightweight intent.
!
Instruction Scope
SKILL.md directs the agent to perform web searches, write a markdown file to archive/news/brief/brief-yyyymmdd.md, and run shell commands to convert Markdown to HTML and send mail. It requires selecting sources 1:1 domestic/international and forbids hallucination. The instructions contain inconsistent placeholders ({todays-brief.md} vs brief-yyyymmdd.md and {aim-email} without explanation), assume availability of search tools and a gmail CLI, and do not explain where email credentials or recipient addresses come from. These are scope and clarity issues that could cause unexpected behavior or require credentials not declared.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in itself. However the runtime commands imply dependencies on node/NPM (npx marked) and a third-party 'gog gmail send' CLI. Because no install steps or provenance for those tools are provided, the skill implicitly requires external binaries that the platform may not have — a deployment/operational concern but not an explicit install risk in the package itself.
!
Credentials
The registry shows no required environment variables or credentials, yet the instructions perform email sending (which typically requires OAuth tokens or API keys) and write to local archive paths. The skill fails to declare any email credentials, token locations, or config paths. Requesting the ability to send email and write files without declaring where credentials or recipient addresses come from is disproportionate and under-specified.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill writes files to archive/news/brief/… and invokes system commands — these are reasonable for its function, but users should be aware it will create files and run external commands when invoked. Because autonomous invocation is allowed by default, those actions could occur without repeated prompts if the agent is given broader permissions; this increases blast radius but is not, by itself, a disqualifying privilege.
What to consider before installing
Before installing or enabling this skill, ask the author to clarify and fix these issues: (1) Declare required binaries and tools (e.g., npx/node, the 'gog' gmail CLI) or provide an install spec; (2) Declare any environment variables or credentials needed for sending email (OAuth tokens, API keys) and explain how credentials are obtained/stored; (3) Fix placeholder inconsistencies ({todays-brief.md} vs brief-yyyymmdd.md and {aim-email}) and explain how the recipient is determined (prompt user each run vs configured env var); (4) Confirm the skill is allowed to write to archive/news/brief/ and document what it writes; (5) If you don't want the skill to run shell commands on the host, request a version that uses only platform-provided tooling or a documented API. Because the current instructions assume undeclared tooling and credentials, proceed cautiously — do not grant it access to sensitive email credentials or broad filesystem write permissions until these questions are resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eg0wz5yc3c1ghxzsv1ccmrs85bj2m
72downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
Leonard@liliangjie91
latest
Download

News Sum Lite

轻量快速新闻日报,一次性生成,不起并发。

默认设置

  • 文件路径:archive/news/brief/brief-yyyymmdd.md
  • 默认主题:国际局势,经济金融,科技AI

整体流程概述:

  • 搜索-延伸话题再搜索-整理-保存-发送

详细流程

Step 1 搜索

  • 并行搜索用户所给主题, 注意
  1. 中英文query都要使用,时间为当日
  2. web_search tavily_search 均衡使用
  3. 最终新闻源中外来源比例保持1:1
  4. 必须有新闻源,禁止幻想

Step 2 延伸

  • 根据已搜索内容,主动探索出一个相关的topic进行再搜索

Step 3 整理

  • 每条新闻生成中文摘要(300字
  • 提取 标题,时间,新闻源,新闻链接

Step 4 保存

  • 严格按照模版格式,写入 archive/news/brief/brief-yyyymmdd.md
  • 主动探索的 New Topic 也要写入

Step 5 发送邮件

严格调用以下命令发送邮件,确保格式正确,md文件作为附件,html格式内容作为邮件正文:

HTML=$(npx marked {todays-brief.md} --breaks)
HTML="<div style='font-family:Arial, sans-serif; line-height:1.6;'>$HTML</div>"
gog gmail send --to={aim-email} --subject="今日简报 yyyy-mm-dd" --attach={todays-brief.md} --body-html "$HTML"

格式

日报格式模板

## 📋 今日新闻日报 {日期}
---
### [emoji] {topic}
- **标题**
**摘要**:
**时间**:yyyy-mm-dd | [新闻源](新闻链接)
- **标题**
**摘要**:
**时间**:yyyy-mm-dd | [新闻源](新闻链接)
...
### [emoji] {topic}
...
### [emoji] {New topic}
...
---
## 💡 今日要点
- 简要总结今日最重要2-3件事
---
## 🔮 简单预测
---
生成时间:{时间}

Comments

Loading comments...