Rss Digest
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This RSS digest skill looks coherent and low-risk, but it installs a third-party feed tool and can add starter RSS subscriptions if no feeds are configured.
Before installing, make sure you trust the `feed` CLI source. Be aware that the skill will read your RSS entries and fetch article URLs, and that it may add a starter set of feeds if no subscriptions exist.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
61/61 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill requires trusting the external `feed` command that will read and manage the local RSS feed database.
The skill depends on an external CLI installed from a custom tap or an unpinned Go package. This is disclosed and central to the skill, but users should trust the package source.
brew | formula: odysseus0/tap/feed ... go | package: github.com/odysseus0/feed/cmd/feed@latest
Review the `feed` project or install it from a trusted, pinned source if possible.
If your feed database is empty, the skill may add a starter set of RSS feeds before creating a digest.
The workflow tells the agent to import a remote starter feed list when no feeds are configured, which persistently changes the user's feed subscriptions.
if 0 feeds, import starter set: `feed import https://github.com/odysseus0/feed/raw/main/hn-popular-blogs-2025.opml` and retry.
If you do not want starter feeds added automatically, tell the agent to ask before importing or to skip the import step.