openclaw-feeds
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a straightforward RSS headline skill with disclosed local Python execution, public network fetching, and normal dependency cautions.
This skill appears safe for its stated purpose. Before installing, be comfortable with it running Python locally, installing the feedparser dependency, and contacting the listed public RSS feeds. Review or edit scripts/lists.py if you want to control the news sources.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the bundled Python script and make outbound requests to news feed URLs when answering headline requests.
The skill authorizes running local Python through Bash to fetch feeds. This is expected for the RSS aggregator, but users should notice that installation enables command execution for this skill.
allowed-tools: Bash(python3:*) ... python3 scripts/feeds.py --category news
Keep use limited to the documented feed commands and review the feed list if you want to control which sites are contacted.
A future or environment-specific feedparser package version could behave differently from the one the author tested.
The skill depends on an external Python package without pinning a version. This is a common and purpose-aligned setup step, but dependency versions can change over time.
pip install --user feedparser
Install dependencies from a trusted package index, preferably in a virtual environment, and pin a known-good feedparser version if reproducibility matters.
A compromised or malicious feed entry could include misleading text or links that appear in the news rundown.
Public RSS titles and summaries are collected and returned for the agent to summarize. That content is external and should be treated as data, not as instructions.
title = entry.get("title", "").strip() ... summary = clean_html(entry.get("summary", "")) ... "summary": summaryTreat feed output as untrusted news content, preserve source attribution, and avoid following instructions embedded in feed titles or summaries.