Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Multi Source Tech News Digest

v1.0.0

Aggregates and scores technology news daily from 100+ RSS feeds, GitHub releases, and web sources, providing customizable, filtered tech news digests.

0· 437·1 current·1 all-time
byHaloha@pyh-pan
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim aggregation from RSS, GitHub releases, and web sources (and mention Twitter/X). The code implements RSS fetching and GitHub release fetching, but GitHub endpoints in config are incorrect/unusual ('https://api.github.com/repos/trending'), and there is no real Twitter/X ingestion or web scraping implementation beyond listing a few web URLs in config. The inclusion of package.json/requirements is reasonable for an aggregator, but some declared sources and descriptions (Twitter/X, web scraping) are not implemented, which is an incoherence.
!
Instruction Scope
Runtime code uses subprocess.run to execute dynamically constructed Python -c one-liners that embed config values (source_url and repo) directly into the command string. That pattern can lead to command/Python code injection if config values are attacker-controlled or maliciously modified. The SKILL.md usage instructions are straightforward (python skill.py digest/list/refresh) and do not request secrets, but the implementation detail of spawning an interpreter for each fetch is unnecessary and risky compared to using the imported libraries directly. test_skill.py also hardcodes an absolute path (/home/pan/...) which is a leftover artifact and may leak local paths.
Install Mechanism
There is no install spec (instruction-only install), which minimizes install-time risk. The repository includes requirements.txt and package.json (declaring common libraries requests, feedparser, beautifulsoup4) — expected for this kind of skill. No remote downloads or extract operations are present.
Credentials
The skill does not request environment variables, credentials, or special config paths. The default config lists external endpoints (RSS/GitHub/Google News/Techmeme) but there are no access tokens or secrets requested, which is proportionate for a public-news aggregator.
Persistence & Privilege
The skill does not set always: true and is user-invocable only (default). The included trigger_config.json sets an auto-start cron schedule and notification channels, but that appears to be a platform trigger config, not an internal mechanism that modifies other skills or system-wide settings. Autonomous invocation by the agent is allowed by default (platform standard).
What to consider before installing
This skill mostly does what its name promises (aggregate tech news) but has several red flags you should consider before installing: - The code uses subprocess.run with dynamically constructed Python -c strings that embed config values (RSS URLs and repo strings). If those config values are modified by an attacker or come from untrusted input, they could lead to arbitrary code execution. Ask the author to remove subprocess -c usage and call requests/feedparser directly in-process. - Some advertised sources (Twitter/X, web scraping) are mentioned in descriptions/config but are not actually implemented — verify the feature set if you need those sources. - The GitHub endpoints in config appear incorrect/unexpected; confirm how GitHub data is fetched and whether authentication is required for your use case. - test_skill.py contains a hardcoded absolute path (/home/pan/...) — likely a leftover from development. That is not a direct runtime threat but indicates the repo wasn't fully cleaned. - Because the skill makes outbound HTTP requests, run it in a sandboxed environment or restricted network if you want to limit data exfiltration risk, and review/replace the subprocess calls before granting production use. If you decide to proceed: require the maintainer to (1) replace subprocess -c calls with in-process library calls that properly validate/escape inputs, (2) fix/clarify GitHub source usage, (3) remove development hardcoded paths, and (4) document exactly which external endpoints will be contacted and whether credentials are ever required.

Like a lobster shell, security has layers — review code before you run it.

awesome-listvk979wtv1e83n9qq3f567a1wbr1825qp1clawdbotvk979wtv1e83n9qq3f567a1wbr1825qp1digestvk979wtv1e83n9qq3f567a1wbr1825qp1githubvk979wtv1e83n9qq3f567a1wbr1825qp1latestvk979wtv1e83n9qq3f567a1wbr1825qp1moltbotvk979wtv1e83n9qq3f567a1wbr1825qp1newsvk979wtv1e83n9qq3f567a1wbr1825qp1openclawvk979wtv1e83n9qq3f567a1wbr1825qp1openclaw-pluginvk979wtv1e83n9qq3f567a1wbr1825qp1rssvk979wtv1e83n9qq3f567a1wbr1825qp1techvk979wtv1e83n9qq3f567a1wbr1825qp1
437downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0

Multi Source Tech News Digest

A comprehensive OpenClaw skill for aggregating, scoring, and delivering technology news from 109+ sources including RSS feeds, GitHub releases, and web sources.

Features

  • Multi-source aggregation: RSS feeds, GitHub releases, web sources
  • Intelligent scoring: Automatically scores news based on tech keywords and source credibility
  • Configurable: Easy to customize sources and scoring thresholds
  • Daily digests: Generates formatted daily news summaries
  • Filtering: Filters low-quality news based on configurable thresholds

Installation

clawhub install multi-source-news-digest

Usage

# Generate daily digest
python skill.py digest

# List all news items
python skill.py list

# Force refresh news data
python skill.py refresh

Configuration

Edit config.json to customize:

  • rss_sources: List of RSS feed URLs
  • github_repos: GitHub repositories to monitor
  • web_sources: Web pages to scrape
  • max_news_per_source: Maximum news items per source
  • min_score_threshold: Minimum score threshold for news filtering

Sources

Default sources include:

  • RSS: TechCrunch, Wired, The Verge, Ars Technica, ZDNet
  • GitHub: Trending repositories
  • Web: Google News, Techmeme

Scoring System

News items are scored based on:

  • Tech keywords (AI, machine learning, blockchain, etc.)
  • Summary length and quality
  • Source credibility

Testing

python test_skill.py

Author

hesamsheikh

License

MIT

Comments

Loading comments...