ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

local-model-router

v1.0.1

自动生成科技新闻摘要。从多个来源(RSS、Twitter、GitHub、Web Search)抓取科技新闻,整合后生成摘要。

0· 134·0 current·0 all-time
by@ppop0uuiu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Metadata name is 'local-model-router' while the description, SKILL.md, and code implement a tech-news digest — name/purpose mismatch. The README claims outputs like Discord/Email/PDF, but the included scripts only fetch RSS feeds and write local JSON/markdown/text files. Several optional API keys are listed in SKILL.md (Twitter, Brave, TAVILY, GitHub) but the provided Python scripts only read RSS feeds and do not call those services.
!
Instruction Scope
SKILL.md instructs creating a workspace config and running 'python3 scripts/run-pipeline.py' to produce output; no scripts/run-pipeline.py exists in the bundle. SKILL.md also promises parallel fetch from multiple sources (RSS, Twitter, GitHub, Web Search) and various output channels, but the actual scripts (fetch-news.py and daily-digest.py) only parse RSS feeds, translate text (optional), and save local files. The SKILL.md lists environment variables that the code does not read. This discrepancy grants the agent broad discretion without implementation to justify it.
Install Mechanism
No install spec (instruction-only), which minimizes installer risk. SKILL.md recommends 'pip install -r requirements.txt' and a requirements.txt is present (feedparser, requests, python-dateutil). However the code optionally imports deep_translator (GoogleTranslator) but deep_translator is not in requirements.txt, indicating incomplete dependency specification.
!
Credentials
SKILL.md lists multiple API keys as optional (TWITTERAPI_IO_KEY, X_BEARER_TOKEN, TAVILY_API_KEY, BRAVE_API_KEY, GITHUB_TOKEN) but none of the included scripts access these environment variables. Asking for many credentials unrelated to the provided implementation is disproportionate and could confuse users into supplying unnecessary secrets.
Persistence & Privilege
Skill is not always-enabled, does not request system-wide config changes, and does not declare required config paths or credentials. Scripts write files under scripts/workspace which is local and expected for this use case.
What to consider before installing
This package appears to be a simple RSS news summarizer, but there are clear inconsistencies you should consider before installing: the skill's registry name ('local-model-router') doesn't match its content; SKILL.md instructs running a non-existent 'scripts/run-pipeline.py'; it claims integration with Twitter/GitHub/Brave/Tavily and output channels (Discord/Email/PDF) that are not implemented in the included scripts; and the translator library used in code (deep_translator) is not listed in requirements.txt. Do not provide API keys unless you can confirm the code actually uses them. If you still want to use it, review the code locally, add the missing dependency (or remove unused env var prompts), and fix or implement the missing run-pipeline script or update SKILL.md to match the real behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk977qc5j59bcwzy5mw117b1hed833s57

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments