Ai News Zh 1.0.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This no-code skill coherently fetches public AI news and posts a Chinese briefing, with notable but purpose-aligned risks around scheduled posting, provider credentials, and provenance inconsistency.
This appears reasonable for a Chinese AI-news briefing skill. Before enabling it, run it manually once, verify the output and target channel, use limited-scope API keys or bot tokens, keep scheduled jobs easy to disable, and note the owner/source metadata inconsistency if provenance is important to you.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a messaging tool, the agent may post news summaries to a Feishu, Telegram, or Discord destination.
The skill can use external search and messaging tools. This is aligned with collecting news and pushing a digest, but message posting can affect external channels.
optional:\n tools: [web_search, message]
Run it manually first, verify the destination channel, and grant only the minimum posting permissions needed.
A search API key or messaging integration token may be needed for full functionality.
The skill discloses optional use of a Brave API key, while the registry metadata declares no required credentials. The credential use is purpose-aligned but under-specified.
web_search 可大幅提升采集能力(可选,需Brave API key)
Use dedicated, least-privilege API keys or bot tokens and avoid granting admin or broad workspace permissions.
Once scheduled, the agent may keep fetching and posting daily briefings without a fresh manual prompt each day.
The skill recommends scheduled recurring operation. This is disclosed and fits the daily-news purpose, but it creates unattended agent activity.
设置cron任务,每天早上自动推送
Confirm the briefing format manually before scheduling, document where the cron/job is configured, and keep a simple way to pause or remove it.
It may be harder to verify who originally authored or packaged the skill.
The embedded _meta owner ID differs from the registry owner ID shown for this review. With no source or homepage, this is a provenance inconsistency, though there is no runnable code in the package.
"ownerId": "kn70pmxm14zje7vy6bm9k5ktc581z74d"
If publisher identity matters, verify the owner/source through ClawHub or use a version with consistent metadata.