openclaw-feeds
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the bundled Python script and make outbound requests to news feed URLs when answering headline requests.
The skill authorizes running local Python through Bash to fetch feeds. This is expected for the RSS aggregator, but users should notice that installation enables command execution for this skill.
allowed-tools: Bash(python3:*) ... python3 scripts/feeds.py --category news
Keep use limited to the documented feed commands and review the feed list if you want to control which sites are contacted.
A future or environment-specific feedparser package version could behave differently from the one the author tested.
The skill depends on an external Python package without pinning a version. This is a common and purpose-aligned setup step, but dependency versions can change over time.
pip install --user feedparser
Install dependencies from a trusted package index, preferably in a virtual environment, and pin a known-good feedparser version if reproducibility matters.
A compromised or malicious feed entry could include misleading text or links that appear in the news rundown.
Public RSS titles and summaries are collected and returned for the agent to summarize. That content is external and should be treated as data, not as instructions.
title = entry.get("title", "").strip() ... summary = clean_html(entry.get("summary", "")) ... "summary": summaryTreat feed output as untrusted news content, preserve source attribution, and avoid following instructions embedded in feed titles or summaries.