Botlearn Rss Manager 1.0.0 Local
v1.0.0Aggregates and deduplicates RSS feeds, scores and clusters articles by relevance, and generates concise daily digests with source attribution and trend insig...
⭐ 0· 54·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description and the runtime instructions align: the skill describes feed aggregation, deduplication, scoring, clustering, and digest generation and its SKILL.md and knowledge files describe exactly those operations. No unrelated credentials, binaries, or system paths are requested. Minor metadata inconsistencies exist: the registry metadata lists 'source: unknown' and no homepage, while package.json points to a GitHub repo; that is a provenance/documentation gap to verify but does not change the capability alignment.
Instruction Scope
Runtime instructions explicitly describe network operations (conditional HTTP GETs with ETag/If-Modified-Since), feed parsing, optional fetching of linked article URLs as a fallback, storing per-feed ETag/Last-Modified and health metrics, and local deduplication/ML steps. All of these are coherent with an RSS manager's purpose. The SKILL.md does not instruct reading unrelated local files, environment secrets, or exfiltrating data to unexpected external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute; that minimizes install-time risk. The included package/manifest files are documentation only. Nothing in the manifest indicates downloads from arbitrary URLs or archive extraction.
Credentials
The skill declares no required environment variables, credentials, or config paths. The operations described (HTTP polling, HTML/XML parsing, local scoring and clustering) do not require secrets. The skill will request access to the user's feed list and will perform outbound HTTP requests to feed URLs and optionally to linked article URLs — this is proportionate to its function.
Persistence & Privilege
The skill instructs storing per-feed state (ETag, Last-Modified, health metrics, article DB) which implies persistence within the agent's storage; that is expected for a feed manager. It does not request always:true or other elevated platform privileges. Note: agent autonomous invocation is enabled by default (disable-model-invocation: false) — that's the platform default and not itself a problem, but you should be aware the skill could be invoked by the agent if policies allow.
Assessment
What this means for you: the skill is internally consistent with its stated purpose and does not request secrets or install arbitrary code, so it's low-risk in that sense. Before installing, consider: (1) provenance — registry metadata says 'source: unknown' while package.json references a GitHub repo; if you care about origin, verify the repository and publisher to ensure it's from a trusted author; (2) network & data access — the skill will need your list of subscribed feeds (and will make outbound HTTP(S) requests, including optionally fetching linked article pages) and will persist feed metadata (ETags, last-modified, health metrics, and an article index) — if you do not want the agent to poll feeds automatically, avoid enabling autonomous invocation or set policies to require manual invocation; (3) private/internal feeds — do not subscribe feeds that embed sensitive tokens or rely on private network access unless you trust the skill and its execution environment; (4) metadata mismatch — if you rely on provenance, confirm the homepage/repository and the publisher identity because registry metadata lacks a homepage and owner IDs differ across files. If you want me to, I can: (a) fetch and show the package.json homepage repository URL for manual verification, or (b) list the specific behaviors (poll intervals, ETag handling, fallback URL fetching) you may want to restrict via policies.Like a lobster shell, security has layers — review code before you run it.
latestvk97ct865debt3278f01d3m2nh583pcfc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.