ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Summary

v1.0.1

This skill should be used when the user asks for news updates, daily briefings, or what's happening in the world. Fetches news from trusted international RSS...

0· 78·0 current·0 all-time
by@nicenasa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (news summaries from RSS, optional voice) align with the provided curl commands and parsing steps. The listed RSS endpoints (BBC, Reuters, NPR, Al Jazeera) are consistent with a news-summary purpose.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to call external RSS endpoints and to call OpenAI's TTS endpoint using $OPENAI_API_KEY. The skill's declared surface does not list any required env vars, but the instructions rely on an API key and network access. The SKILL.md also writes an audio file to /tmp/news.mp3 — benign for temporary output but something to note. Overall, the instructions reference credentials and external endpoints not declared in the metadata.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This is low-risk from an install-mechanism perspective.
!
Credentials
SKILL.md uses the environment variable $OPENAI_API_KEY for text→speech, but requires.env/primary credential fields declare no credentials. Requesting no credentials in metadata while instructing use of a secret is an incoherence and could lead to unexpected API key use or fail at runtime.
Persistence & Privilege
The skill is not always: true and is user-invocable; it does not request persistent privileges or claim to modify other skills or system-wide config.
What to consider before installing
What to check before installing: - Ask the publisher to clarify the missing credential declaration. The SKILL.md calls OpenAI's TTS endpoint using $OPENAI_API_KEY but the skill metadata lists no required environment variables — verify whether the skill will actually require and use your OpenAI API key. If you provide a key, the skill will send the news text to OpenAI for TTS (i.e., external transmission of generated content). - Verify the author/owner: _meta.json contains a different ownerId than the registry metadata shown in the package summary. That mismatch could be benign (packaging error) but is worth confirming. - Network access: the skill will make outbound requests to the listed RSS feeds (BBC, Reuters, NPR, Al Jazeera). Ensure you are comfortable with those external requests and with any data sent to OpenAI for TTS. - File writes: the example writes /tmp/news.mp3 — temporary but confirm your environment's file policies if you have strict sandboxing. - If you do not want audio sent to OpenAI, ask for a variant that omits the TTS step or run the skill with the OPENAI_API_KEY unset. If the author intends to use another TTS provider, ask them to update the docs and declared env vars. If the author confirms the use of OpenAI TTS and updates the metadata to declare the required env var(s) (and explains the ownerId discrepancy), the skill would be coherent for its stated purpose. Until then, treat the mismatch as a red flag and proceed cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eagt3zsypfbnwb6gshncns5839t7b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments