Neckr0ik Newsletter Manager
v1.0.0Manage newsletters with AI-generated content. Create, schedule, and send newsletters automatically. Supports multiple platforms (Substack, Beehiiv, ConvertKi...
⭐ 0· 213·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description promise multi-platform creation, scheduling and sending (Substack, Beehiiv, ConvertKit, Mailchimp). The included Python implementation generates drafts and schedules locally, but does not implement API calls to those platforms (send() prints placeholders). The code calls a local 'ollama' binary to generate/curate content, yet the skill metadata lists no required binaries—this is an inconsistency: a user would reasonably expect platform API integration and the presence/installation of 'ollama' to be declared.
Instruction Scope
SKILL.md instructs use of a CLI and saving platform API keys via 'config set' commands and shows automation examples using NewsletterManager. The code reads/writes files under ~/.newsletter-manager (config, drafts, subscribers) which matches the instruction scope. However, SKILL.md claims features (sending via platforms, analytics export) that the code currently only stubs/prints rather than actually performing network/API operations. The 'curate' feature uses the LLM to produce URLs; that risks hallucinated links but is within the claimed functionality to 'curate'.
Install Mechanism
There is no install specification (instruction-only skill plus a script), which is low friction, but the code depends on calling the external 'ollama' CLI via subprocess.run. The skill metadata and requirements fail to declare this dependency. If 'ollama' is not present, the code falls back to templates, but the absence of a declared binary is a coherence issue and an operational surprise for users.
Credentials
The skill declares no required environment variables, which aligns with the code. However SKILL.md documents commands to set platform API keys (beehiiv.api_key, convertkit.api_key/secret, etc.) and the code's PLATFORMS map notes required keys. The implementation appears to store configuration in plaintext at ~/.newsletter-manager/config.json, which means any API keys saved through the intended CLI would be stored on disk unencrypted — a proportionality and privacy concern. There are no hidden env-vars accessed by the code, but the mismatch between declared none and the documented need to store API credentials is noteworthy.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It creates and writes to ~/.newsletter-manager (config, drafts, subscribers, analytics) — persistent local storage but scoped to the user's home directory and the skill's own files. This is expected for a newsletter manager, but users should be aware their subscriber lists and API keys (if used) will be stored locally in plaintext unless the CLI encrypts them (no evidence of that in the shipped code).
What to consider before installing
This skill is internally inconsistent in a few important ways: it advertises multi-platform sending but the included code only stubs sending (no API calls), it relies on a local 'ollama' CLI but does not declare that requirement, and it writes configuration (including where API keys would go) as plaintext under ~/.newsletter-manager. Before installing or using this with real data or secrets: 1) ask the author for the source repo or a homepage and a clear install procedure (including 'ollama' requirement), 2) inspect the remainder of the send/CLI implementation to verify how and whether API keys are used and protected, 3) consider running the code in a sandbox or VM and avoid putting real subscriber lists or production API keys into it until you confirm secure key handling, and 4) if you need true platform delivery, prefer a skill that declares network/API usage and shows concrete integration code (or implement the platform calls yourself). If you want, I can help review the rest of the truncated code or suggest safe steps to test this locally.Like a lobster shell, security has layers — review code before you run it.
latestvk978xjgfa0rmxz7gq5bjjas35n82cd2q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.