ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Aggregator Pro

v1.0.0

国内外社会、科技、军事新闻汇总。自动搜索、筛选、整理新闻要点。

0· 61·0 current·0 all-time
by@mars82311111
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and SKILL.md content are coherent: they describe crawling/aggregating tech and military news and list plausible sources. However, registry metadata (ownerId, slug, version) does not match the _meta.json and SKILL.md values, and homepage/source are missing — this mismatch suggests sloppy packaging or possible repackaging under a different identity.
Instruction Scope
Runtime instructions are limited to web searching/fetching (references to 'tavily' or 'web_fetch'), filtering duplicates/unreliable items, and producing structured summaries. The instructions do not request local file reads, secret access, or sending data to unexpected external endpoints beyond the listed news sites.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is downloaded or written during install. This minimizes risk from malicious install mechanisms.
Credentials
The skill declares no required environment variables, binaries, or config paths. The operations it describes (web fetching public news sites) do not require credentials, so requested access is proportionate.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or modifications to other skills. Autonomous invocation is allowed (platform default) but not combined with other privileges here.
What to consider before installing
This skill's behavior (fetching and summarizing news) matches its description and it is instruction-only, which limits risk. However, the package has inconsistent metadata (registry owner/slug/version differ from _meta.json and SKILL.md) and no published homepage or known source; that reduces provenance and increases risk of tampering or repackaging. Before installing: verify the publisher identity or prefer a skill with a known source, run it in a restricted environment, and avoid providing any credentials. If you plan to let the agent invoke the skill autonomously, be aware it will fetch arbitrary web pages — review the tool permissions (tavily/web_fetch) and content-handling policies to ensure fetched pages won't be forwarded to other external services.

Like a lobster shell, security has layers — review code before you run it.

aivk97030yjschapefxm3qaxy73rs83yy65automationvk97030yjschapefxm3qaxy73rs83yy65latestvk97030yjschapefxm3qaxy73rs83yy65newsvk97030yjschapefxm3qaxy73rs83yy65

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments