ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Summary Voice

v1.0.1

新闻汇总与语音播报工具。获取国际可信 RSS 源新闻,生成语音摘要。当用户要求新闻更新、每日简报、世界动态、AI 播报新闻时触发。支持多语言,跨平台(macOS/Linux/Windows)。

0· 101·0 current·0 all-time
by@realorange1994
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (fetch RSS, summarize, TTS) matches the instructions: it shows concrete RSS sources, parsing commands, and platform-specific TTS approaches. Asking for no env vars, no installs, and no persistent privileges is proportionate to a lightweight news/TTS helper.
Instruction Scope
Instructions stay within news-fetching and TTS. Minor concerns: (1) a malformed/odd Xinhua RSS URL (contains Chinese character '臆' in the domain/path) that looks like a typo or malicious URL, (2) use of rsshub.app for AP (a third-party aggregator) rather than an official AP feed, (3) recommendation to use an unspecified 'Coze TTS' tool with no source or install instructions, and (4) examples that download and play audio from an arbitrary '音频URL'—downloading/playing untrusted binaries/audio is a potential risk. Also the decision-tree references as_qdr (a search query filter) which doesn't directly apply to RSS feeds; minor incoherence.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes install risk because nothing is written or executed by an installer. Platform examples call out standard system packages (espeak-ng, ffmpeg) that are reasonable for local TTS playback.
Credentials
The skill requests no credentials, no environment variables, and no config paths. That is proportional to a news/TTS skill. The only proportionality risk is recommending external services/tools (rsshub.app, 'Coze TTS') that may require separate credentials or network access—these are external dependencies the user should vet.
Persistence & Privilege
Skill is not always-enabled, not requesting autonomous elevation or persistent installation. It does not modify other skills or system configs in the instructions.
Assessment
This skill appears to do what it says (fetch RSS, summarize, speak). Before installing or using it: (1) verify and fix the suspicious/mistyped Xinhua RSS URL (the domain/path with '臆' looks wrong), (2) prefer official feeds where possible (rsshub.app is a third-party proxy—replace with publisher-hosted RSS if available), (3) vet the 'Coze TTS' tool (find an official source/repo and inspect it) before using it, (4) avoid automatically downloading/playing audio from untrusted 'audio URLs'—treat any downloaded media as untrusted content, and (5) be aware you'll need permission to install local TTS packages (espeak-ng/ffmpeg) on Linux. If you want higher assurance, ask the skill author for authoritative feed URLs and source/documentation for Coze TTS.

Like a lobster shell, security has layers — review code before you run it.

latestvk978pzaaapycbq1vxh1v8qmgj18362tt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis

Comments