ClawHub

Common-Fetcher

v1.0.0

统一采集框架 - 支持 RSS/Web/API,207+ 采集源,AI 评分/分类/摘要

0· 523·1 current·1 all-time
byluck@lq707904686
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (采集/抓取/AI 处理) match the declared requirements (node/npm) and the install spec (npm package common-fetcher). No unrelated binaries or credentials are requested.
Instruction Scope
SKILL.md stays on-topic (CLI usage, Node API, config/ directory, openclaw.json integration). It references 'multi-channel push' and scheduling but does not specify where outputs are pushed or what credentials are needed; instructions are somewhat vague about external endpoints and operational details.
!
Install Mechanism
Install uses a public npm package name 'common-fetcher' (moderate risk). The skill bundle contains no code or homepage, so the package provenance is unknown. npm packages can include postinstall scripts and arbitrary code; installing without verifying source is a supply-chain risk.
Credentials
No environment variables or credentials are declared, which aligns with the minimal metadata. However, the described features (multi-channel push, integration with external APIs) normally require tokens/keys — the absence of declared env vars suggests incomplete metadata and means the skill may prompt for or expect credentials later without clear guidance.
Persistence & Privilege
always is false and no special system config paths are requested. The README suggests enabling/scheduling the skill via openclaw.json, which is normal. Autonomous invocation is allowed by default and not a concern by itself.
What to consider before installing
This skill is coherent with its stated purpose but lacks provenance and includes an install step that pulls a third‑party npm package. Before installing: (1) verify the npm package source — check its npm page and GitHub repo; (2) inspect the package contents (look for postinstall scripts, network calls, or unexpected binaries) or request the source code from the author; (3) test the package in a sandboxed environment first; (4) do not enable scheduled runs or configure automatic pushes until you confirm where outputs are sent and which credentials are required; (5) if you need to supply API keys for push channels, provide only least-privilege tokens and rotate them after testing.

Like a lobster shell, security has layers — review code before you run it.

automationvk973vxawrndq8y0k12x9715mtx81ps1xcrawlervk973vxawrndq8y0k12x9715mtx81ps1xdatavk973vxawrndq8y0k12x9715mtx81ps1xlatestvk973vxawrndq8y0k12x9715mtx81ps1xrssvk973vxawrndq8y0k12x9715mtx81ps1xscrapervk973vxawrndq8y0k12x9715mtx81ps1x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🕸️ Clawdis
Binsnode, npm

Install

Install common-fetcher (npm)
Bins: common-fetcher
npm i -g common-fetcher

Comments