RSS Monitor
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it says—monitor RSS feeds—but users should notice the optional Feishu webhook, local history files, and any cron job they enable.
Before installing, decide whether you are comfortable installing the Python dependencies, storing feed history under `~/.rss_monitor`, and optionally giving the script a Feishu/Lark webhook. If you enable cron, remember it will continue running until you remove the scheduled job.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependencies pulls code from the Python package ecosystem, so package changes or a compromised environment could affect the script.
The skill asks the user to install external Python packages without version pins. This is expected for its RSS parsing and HTTP notification purpose, but package provenance and versions affect behavior.
Dependencies - Python 3.6+ - requests - feedparser Install: `pip install requests feedparser`
Install dependencies from a trusted package source, preferably in a virtual environment, and consider pinning versions if using this long-term.
Anyone with the webhook URL may be able to post to the configured chat, and notification text is sent to Feishu/Lark.
The script uses a Feishu/Lark webhook URL from the environment to post notifications. The webhook is an expected, optional credential for the advertised notification feature.
webhook = webhook_url or os.environ.get('FEISHU_WEBHOOK') ... response = requests.post(webhook, json=payload, timeout=10)Keep the webhook URL secret, use a dedicated low-risk chat or bot where possible, and remove or rotate the webhook if you stop using the skill.
If enabled, the monitor will continue fetching configured feeds and sending notifications on a schedule.
The skill documents an optional scheduled job that runs checks every 30 minutes. This persistence is disclosed and directly supports monitoring, but it keeps operating after setup until removed.
openclaw cron add --name "rss-monitor" --schedule "*/30 * * * *" --command "python scripts/rss_monitor.py check-all"
Only add the cron job if you want ongoing monitoring, and remember to remove the cron entry when you no longer need it.
Feed URLs, feed names, article titles, links, summaries, and detection times may remain on disk under the user's home directory.
The script keeps persistent local state for monitored feeds and recent article history, capped to the last 500 entries.
DATA_DIR = Path.home() / ".rss_monitor" ... HISTORY_FILE = DATA_DIR / "history.json" ... save_json(HISTORY_FILE, history[-500:])
Avoid adding sensitive private feeds unless local storage is acceptable, and clear `~/.rss_monitor` if you want to remove stored history.