mp2rss CLI
Security checks across malware telemetry and agentic risk
Overview
This is a coherent instruction-only wrapper for the mp2rss CLI, but users should verify the external CLI installer and protect the Feed Key it stores locally.
Before using this skill, install the mp2rss CLI only from a source you trust, understand that login stores a Feed Key in ~/.mp2rss/config.json, and ask the agent to confirm the exact subscription before removing anything.
VirusTotal
No VirusTotal findings
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill alone does not install the CLI, and following the setup instructions will run third-party code on the user's machine.
The skill instructs users to install an external CLI from GitHub or npm, including a curl-to-shell installer. This is expected for a CLI wrapper but means executable code is fetched outside the reviewed bundle.
curl -fsSL https://raw.githubusercontent.com/areyoubugcoder/mp2rss-cli/main/scripts/install.sh | sh # npm(Node ≥ 18) pnpm add -g @mp2rss/cli
Install only from trusted sources, inspect or pin the installer/package where possible, and avoid running curl-to-shell commands if your environment requires stricter provenance controls.
Anyone with access to the Feed Key or config file may be able to access or change the user's mp2rss subscription data.
The skill uses and persists a Feed Key for the mp2rss account. This credential handling is disclosed and aligned with authentication, but it is still account access material.
登录后自动写入 `~/.mp2rss/config.json` ... Feed Key 优先级(高 → 低):命令行 `--api-key` > `MP2RSS_FEED_KEY` 环境变量 > 配置文件
Keep the Feed Key private, use normal filesystem protections, and run `mp2rss auth logout` or reset the key if it may have been exposed.
A mistaken command could unsubscribe the user from a public-account feed.
The skill can remove subscriptions and documents a flag that skips confirmation. This is part of the stated subscription-management purpose, and the notes also advise confirming the mpId first.
mp2rss mp remove <mpId> [-y] [-o json] ... `-y` 跳过交互式确认(适合脚本调用)
Confirm the target subscription before removal, and use `-y` only when the user has explicitly requested the deletion.