Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ai news weekly agent
v1.0.2Generate a weekly AI report with OpenClaw top skills, official announcements, industry news, and capped paper ratio in Markdown format.
⭐ 1· 70·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: the script aggregates RSS feeds, scrapes an OpenClaw leaderboard, and optionally calls an LLM to generate text. However registry metadata lists no required environment variables while SKILL.md and the script clearly expect LLM credentials (ARK_* or OPENAI_*), and an optional webhook URL. That mismatch between declared requirements and runtime instructions is unexpected and should be resolved.
Instruction Scope
SKILL.md gives a concrete command to run the included Python script. The runtime instructions stay within the stated purpose (fetch RSS, scrape topclawhubskills.com, optionally call LLM, optionally post to a webhook). They explicitly mention enforced HTTPS, allowed LLM hosts, and webhook domain suffix checks. Be aware the script will fetch external URLs from sources.json and will send generated/prompts to whichever LLM endpoint you configure, so review endpoints and sources beforehand.
Install Mechanism
No install spec is provided (instruction-only skill plus bundled Python file). There are no downloads or archive extractions in the manifest. The included code runs as a local script and uses standard library networking — no package registry installs or remote code pulls during install.
Credentials
The environment variables the SKILL.md requires (ARK_API_KEY, ARK_MODEL, ARK_ENDPOINT_ID or OPENAI_API_KEY, OPENAI_BASE_URL, OPENAI_MODEL, and optional DIGEST_WEBHOOK_URL) are appropriate for an LLM-backed report generator. The concern is the registry metadata claims 'Required env vars: none' which understates the actual runtime secrets the script may use. This inconsistency could cause users to unknowingly provide credentials. Also note that providing a webhook (DIGEST_WEBHOOK_URL) will transmit generated output to an external endpoint — the script restricts webhook hosts to certain suffixes but you should still verify the destination.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs, and has no install step that persists binaries into system paths. It writes generated reports to a local daily_docs/ directory but otherwise has normal, limited persistence behavior for a reporting script.
What to consider before installing
This skill looks like a legitimate weekly AI digest generator, but check these before installing or running: 1) The registry says no env vars, but the script needs LLM credentials (ARK_* or OPENAI_*). Don’t paste keys into the repo; set them only in a trusted runtime or local .env you control. 2) Inspect sources.json for any feeds you don't trust and consider removing unknown RSS URLs. 3) If you enable LLM usage, confirm OPENAI_BASE_URL or Ark endpoint is a provider you trust and set LLM_ALLOWED_HOSTS to restrict endpoints. 4) If you enable notifications, only set DIGEST_WEBHOOK_URL to an endpoint you control and trust (the script limits webhook suffixes, but verify the full host). 5) If you want to avoid sending fetched content to an external LLM, run without --use-llm or run locally offline. 6) Ask the publisher to correct the registry metadata (declare required env vars) before using in a shared/runtime environment. Running the script in an isolated environment and reviewing run_daily_digest.py yourself is recommended.Like a lobster shell, security has layers — review code before you run it.
agentvk9761ce6mhkdpcs8x7g3f5bhxn83ey8xaivk9761ce6mhkdpcs8x7g3f5bhxn83ey8xlatestvk9728knrgxpwqrfzpqfcry7xc183ev0tnewsvk9761ce6mhkdpcs8x7g3f5bhxn83ey8xweeklyvk9761ce6mhkdpcs8x7g3f5bhxn83ey8x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.