Multi Source Tech News Digest
v1.0.0Aggregates and scores technology news daily from 100+ RSS feeds, GitHub releases, and web sources, providing customizable, filtered tech news digests.
⭐ 0· 437·1 current·1 all-time
byHaloha@pyh-pan
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim aggregation from RSS, GitHub releases, and web sources (and mention Twitter/X). The code implements RSS fetching and GitHub release fetching, but GitHub endpoints in config are incorrect/unusual ('https://api.github.com/repos/trending'), and there is no real Twitter/X ingestion or web scraping implementation beyond listing a few web URLs in config. The inclusion of package.json/requirements is reasonable for an aggregator, but some declared sources and descriptions (Twitter/X, web scraping) are not implemented, which is an incoherence.
Instruction Scope
Runtime code uses subprocess.run to execute dynamically constructed Python -c one-liners that embed config values (source_url and repo) directly into the command string. That pattern can lead to command/Python code injection if config values are attacker-controlled or maliciously modified. The SKILL.md usage instructions are straightforward (python skill.py digest/list/refresh) and do not request secrets, but the implementation detail of spawning an interpreter for each fetch is unnecessary and risky compared to using the imported libraries directly. test_skill.py also hardcodes an absolute path (/home/pan/...) which is a leftover artifact and may leak local paths.
Install Mechanism
There is no install spec (instruction-only install), which minimizes install-time risk. The repository includes requirements.txt and package.json (declaring common libraries requests, feedparser, beautifulsoup4) — expected for this kind of skill. No remote downloads or extract operations are present.
Credentials
The skill does not request environment variables, credentials, or special config paths. The default config lists external endpoints (RSS/GitHub/Google News/Techmeme) but there are no access tokens or secrets requested, which is proportionate for a public-news aggregator.
Persistence & Privilege
The skill does not set always: true and is user-invocable only (default). The included trigger_config.json sets an auto-start cron schedule and notification channels, but that appears to be a platform trigger config, not an internal mechanism that modifies other skills or system-wide settings. Autonomous invocation by the agent is allowed by default (platform standard).
What to consider before installing
This skill mostly does what its name promises (aggregate tech news) but has several red flags you should consider before installing:
- The code uses subprocess.run with dynamically constructed Python -c strings that embed config values (RSS URLs and repo strings). If those config values are modified by an attacker or come from untrusted input, they could lead to arbitrary code execution. Ask the author to remove subprocess -c usage and call requests/feedparser directly in-process.
- Some advertised sources (Twitter/X, web scraping) are mentioned in descriptions/config but are not actually implemented — verify the feature set if you need those sources.
- The GitHub endpoints in config appear incorrect/unexpected; confirm how GitHub data is fetched and whether authentication is required for your use case.
- test_skill.py contains a hardcoded absolute path (/home/pan/...) — likely a leftover from development. That is not a direct runtime threat but indicates the repo wasn't fully cleaned.
- Because the skill makes outbound HTTP requests, run it in a sandboxed environment or restricted network if you want to limit data exfiltration risk, and review/replace the subprocess calls before granting production use.
If you decide to proceed: require the maintainer to (1) replace subprocess -c calls with in-process library calls that properly validate/escape inputs, (2) fix/clarify GitHub source usage, (3) remove development hardcoded paths, and (4) document exactly which external endpoints will be contacted and whether credentials are ever required.Like a lobster shell, security has layers — review code before you run it.
awesome-listclawdbotdigestgithublatestmoltbotnewsopenclawopenclaw-pluginrsstech
Multi Source Tech News Digest
A comprehensive OpenClaw skill for aggregating, scoring, and delivering technology news from 109+ sources including RSS feeds, GitHub releases, and web sources.
Features
- Multi-source aggregation: RSS feeds, GitHub releases, web sources
- Intelligent scoring: Automatically scores news based on tech keywords and source credibility
- Configurable: Easy to customize sources and scoring thresholds
- Daily digests: Generates formatted daily news summaries
- Filtering: Filters low-quality news based on configurable thresholds
Installation
clawhub install multi-source-news-digest
Usage
# Generate daily digest
python skill.py digest
# List all news items
python skill.py list
# Force refresh news data
python skill.py refresh
Configuration
Edit config.json to customize:
rss_sources: List of RSS feed URLsgithub_repos: GitHub repositories to monitorweb_sources: Web pages to scrapemax_news_per_source: Maximum news items per sourcemin_score_threshold: Minimum score threshold for news filtering
Sources
Default sources include:
- RSS: TechCrunch, Wired, The Verge, Ars Technica, ZDNet
- GitHub: Trending repositories
- Web: Google News, Techmeme
Scoring System
News items are scored based on:
- Tech keywords (AI, machine learning, blockchain, etc.)
- Summary length and quality
- Source credibility
Testing
python test_skill.py
Author
hesamsheikh
License
MIT
Comments
Loading comments...