ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI领域重点企业资讯抓取与简报生成

v0.1.3

Collect, filter, classify AI industry news, generate Chinese titles and summaries, and export Excel and Word briefs based on company lists and sources.

0· 302·0 current·0 all-time
byNighmat@nighmat1220
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The codebase contains crawlers (RSS + web), loaders for company/source Excel files, deduplication/classification/summarization services, and Excel/Word exporters — all consistent with the stated purpose of collecting AI news and producing Chinese titles/summaries and briefs.
!
Instruction Scope
SKILL.md gives simple runtime steps but omits an important runtime dependency: Settings expects a config.yaml by default and will raise FileNotFoundError if missing. The code will create DB/log files and can fetch arbitrary URLs listed in source_config.xlsx. If you provide ARK_API_KEY, article text will be sent to Volcengine Ark (Doubao) for summarization. These I/O and network actions are within the app's purpose but are not fully described in SKILL.md; users should be aware local files will be created and scraped content may be transmitted externally.
Install Mechanism
There is no install spec (instruction-only), which lowers install risk. However the repo includes requirements.txt and many Python modules (requests, feedparser, pandas, docx/openpyxl, bs4, etc.); these are reasonable for the task but must be installed before running. There are no remote arbitrary downloads or extract steps in the skill metadata.
Credentials
The skill does not require environment variables by default. It documents an optional ARK_API_KEY for Volcengine Ark summarization, which is proportional to the optional feature. Be aware that providing that key will cause article content to be sent to an external API. No unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It will write logs, output Excel/Word files, and a local SQLite DB in configured paths (config.yaml / config.default.yaml influence these paths). It does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
Things to check before running: - Provide or inspect config.yaml: The code expects a config.yaml (Settings raises if missing). Review config.default.yaml included in the repo and either provide a config.yaml or run with the correct config path. - Review source_config.xlsx / web_source_config.xlsx: The skill will fetch all URLs listed there. Do not include sensitive intranet/internal URLs unless you want them crawled. - External summarization: If you set ARK_API_KEY, the skill will send article content to Volcengine Ark (Doubao) for generation of Chinese titles/summaries. Do not supply that key if scraped content is sensitive or you do not consent to external processing. - Local data written: The skill will create output directories, logs, and an SQLite database (paths controlled via config). Run initially in an isolated environment or container if you want to inspect behavior first. - Dependencies: Install Python packages from requirements.txt in a virtualenv to avoid affecting system packages. - Code review: If you need higher assurance, open the remaining service files (ai_summary_service.py, briefing_service.py, etc.) to confirm the exact network endpoints and what fields are sent to external APIs. Given the above mismatches (missing config mention and the potential for external data transmission), treat this skill as suspicious until you confirm configuration and data flows are acceptable.

Like a lobster shell, security has layers — review code before you run it.

aivk97e3xzserjpzkar3dpjdp5psh82ptxrbriefingvk97e3xzserjpzkar3dpjdp5psh82ptxrcrawlervk97e3xzserjpzkar3dpjdp5psh82ptxrexcelvk97e3xzserjpzkar3dpjdp5psh82ptxrlatestvk97e3xzserjpzkar3dpjdp5psh82ptxrnewsvk97e3xzserjpzkar3dpjdp5psh82ptxrrssvk97e3xzserjpzkar3dpjdp5psh82ptxrwordvk97e3xzserjpzkar3dpjdp5psh82ptxr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments