ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Summary Litiao

v1.0.0

This skill should be used when the user asks for news updates, daily briefings, or what's happening in the world. Fetches news from trusted international RSS...

0· 116·1 current·1 all-time
by@litiao1224
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's described purpose (fetch RSS, summarize, optionally produce TTS) matches the runtime instructions for fetching public RSS feeds and summarizing them. However, the SKILL.md includes a curl call to the OpenAI TTS API relying on $OPENAI_API_KEY, yet the skill declares no required environment variables or primary credential. This is an incoherence between claimed requirements and actual instructions.
Instruction Scope
Instructions are narrowly scoped to fetching public RSS feeds, parsing titles/descriptions, summarizing, and optionally calling OpenAI's TTS endpoint. The workflow references only network calls to public news feeds and the OpenAI API and writes a temporary audio file (/tmp/news.mp3). The instructions do not request unrelated files, secrets, or system configuration—but they do rely on an undeclared API key.
Install Mechanism
This is instruction-only with no install spec and no code files, which minimizes installation risk. No third-party downloads or package installs are required by the manifest.
!
Credentials
The SKILL.md explicitly uses the environment variable $OPENAI_API_KEY for TTS, but requires.env and primary credential fields are empty. Requiring an API key for voice generation would be proportional to the feature, but the manifest's failure to declare this credential is an inconsistency that could lead to accidental exposure or misuse if a user supplies secrets without realizing where they'll be used.
Persistence & Privilege
The skill is not forced-always and allows normal user invocation/autonomous use (platform default). It does not request persistent system modifications or access to other skills' configurations.
What to consider before installing
This skill appears to do what it says (fetch RSS and summarize), but the runtime instructions call the OpenAI TTS API using $OPENAI_API_KEY even though the skill manifest does not declare any required environment variables. Before installing or enabling: 1) confirm you are comfortable providing an OpenAI API key (if you want TTS) and prefer that the agent use it; 2) ask the publisher to update the manifest to explicitly declare OPENAI_API_KEY (so the permission is visible); 3) verify the owner/slug metadata mismatch (_meta.json vs. registry) with the publisher to ensure this is the intended package; 4) be aware that audio output is written to /tmp/news.mp3 (temporary file) and that network calls fetch external RSS feeds and call api.openai.com, which may incur cost and transmit content to OpenAI. If you need stronger assurance, request the maintainer add explicit env requirements and a clear homepage/source before enabling autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97anxe70rc0ttestcnevvwnfs832a1d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments