Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
FeedNest
v0.1.1Aggregate and manage articles, highlights, notes, and tags from your personal trusted feeds, podcasts, and news sources with FeedNest integration.
⭐ 0· 68·0 current·0 all-time
byLuca Iaconelli@lucaiaconelli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match an aggregator for a user's feeds and the SKILL.md describes the exact plugin calls you'd expect (feednest_get_articles, highlights, tags, etc.). However, SKILL.md explicitly says a FeedNest Pro account and an API key are required and instructs installing @feednest/openclaw — yet the registry metadata lists no required env vars/primary credential and no install spec. The missing declaration of the API key (or how credentials are supplied) is inconsistent with the stated purpose.
Instruction Scope
The instructions stay within the FeedNest domain (listing calls, urging to confirm before bulk actions, and forbidding external summarization APIs). But the document is truncated at the end and instructs installing an external plugin via `openclaw plugins install @feednest/openclaw`. That CLI instruction implies fetching and executing third-party code; the SKILL.md does not state how credentials are provided to the plugin or whether the agent should prompt the user, which is an operational gap and risk (agent might try to access unspecified env vars or request the key).
Install Mechanism
This skill is instruction-only (no install spec in registry), which is lower risk. However, SKILL.md tells the user/agent to install an external OpenClaw plugin (@feednest/openclaw). Because the registry didn't include an install spec or a homepage/repo URL, the provenance of that plugin is unknown — installing third-party plugins can pull arbitrary code. This is a traceability/provenance concern, not necessarily malicious.
Credentials
SKILL.md requires a FeedNest Pro account and an API key from FeedNest's Developer API, but the registry metadata lists no required environment variables or primary credential. The skill does not specify the exact env var name or auth mechanism. Requiring an API key is reasonable for this purpose, but the omission from metadata and lack of clarity about where/how the key is stored or used is disproportionate and risky (could lead to accidental sharing or misconfiguration).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. Model invocation is allowed (normal). There is no evidence it modifies other skills or system-wide settings.
What to consider before installing
This skill appears to implement a FeedNest integration, but before installing or providing credentials: 1) Verify the provenance of the @feednest/openclaw plugin (repository URL, publisher identity, and code review). 2) Ask the publisher how the FeedNest API key should be provided (exact env var name, OpenClaw plugin auth flow, or prompt) and confirm it will not be exfiltrated to unknown endpoints. 3) Do not paste your FeedNest API key into chat; provide it only through the platform's secure credential mechanism after verifying the plugin. 4) If you can't verify the plugin source or the missing metadata is not corrected (registry should list required credentials and an install spec/repo), consider treating this as untrusted and avoid installing.Like a lobster shell, security has layers — review code before you run it.
aivk979c0gwa113hes89ewcyfk2nx83bvs8audiovk979c0gwa113hes89ewcyfk2nx83bvs8feedsvk979c0gwa113hes89ewcyfk2nx83bvs8highlightsvk979c0gwa113hes89ewcyfk2nx83bvs8latestvk979c0gwa113hes89ewcyfk2nx83bvs8newsvk979c0gwa113hes89ewcyfk2nx83bvs8notesvk979c0gwa113hes89ewcyfk2nx83bvs8readingvk979c0gwa113hes89ewcyfk2nx83bvs8rssvk979c0gwa113hes89ewcyfk2nx83bvs8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.