Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
a skill for Chinese users access RSS subscription aggregation through the openclaw on cloud services, enabling them to view RSS feeds recommended by Andrej Karpathy.
v1.0.0帮助用户设置带有中国镜像支持的RSS订阅系统,包括安装feed工具、导入RSS订阅源和聚合订阅内容。特别适合部署在阿里云火山云腾讯云上的openclaw使用,本地安装请按操作系统切换。
⭐ 1· 123·0 current·0 all-time
by@roryyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim to set up an RSS subscription system with Chinese mirror support; the SKILL.md only instructs installing Go, setting GOPROXY to a Chinese proxy, running 'go install' for a feed tool, and importing an OPML of feeds via an external 'rss-digest' skill. All requested actions are coherent with the described purpose.
Instruction Scope
Instructions are narrowly scoped to installing the feed binary, configuring GOPROXY, and importing/aggregating an OPML list. Two points to note: (1) the OPML contains many external feed URLs from many domains — importing/aggregating will cause fetching content from those sites (expected for an aggregator), and (2) the guide tells the user to install another skill ('rss-digest') whose behavior/permissions are not described here, so you should review that skill before installing it.
Install Mechanism
There is no automated install spec (lowest platform risk), but the runtime instructions ask the user to run 'go install github.com/odysseus0/feed/cmd/feed@latest' which fetches and builds source from GitHub. This is standard for Go tooling but means you should review the upstream repo before installing (this is a traceable public source, not an opaque binary download). The GOPROXY setting points to a well-known Chinese Go proxy (goproxy.cn), which is coherent with the stated goal.
Credentials
The skill declares no environment variables, no credentials, and no config paths. The only environment modification suggested is temporarily setting GOPROXY to a China mirror to speed Go module downloads — this is proportional to the stated purpose and does not request secrets or broad access.
Persistence & Privilege
always is false and the skill is instruction-only (no code written by the registry). It does not request permanent presence or modify other skills' configs. The agent is allowed to invoke autonomously by default, but that is platform normal and not a red flag here given the skill's limited scope.
Assessment
This skill is an instruction guide (it won't run anything by itself). Before proceeding: (1) be prepared to run sudo apt install and 'go install' commands — these will fetch and build code from GitHub (review https://github.com/odysseus0/feed beforehand if you want to verify the source), (2) the OPML imports feeds from dozens of external domains — aggregating will fetch content from those sites and may expose your deployment's IP to them, (3) the skill asks you to install a separate 'rss-digest' skill — inspect that skill's permissions/requirements before installing, (4) if you prefer safer testing, run the steps inside a container or VM (especially on cloud VMs), and (5) no credentials are requested by this skill, but always avoid pasting secrets into prompts when following installation advice.Like a lobster shell, security has layers — review code before you run it.
latestvk97acpjzdpdamjxe6j1fg9nahx83h1py
License
MIT-0
Free to use, modify, and redistribute. No attribution required.