ClawHub
Back to skill
v1.0.0

a skill for Chinese users access RSS subscription aggregation through the openclaw on cloud services, enabling them to view RSS feeds recommended by Andrej Karpathy.

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:08 AM.

Analysis

This appears to be a straightforward RSS setup guide, but it asks you to install remote software and another skill, so only run the commands if you trust those sources.

GuidanceBefore installing, check that you trust the feed GitHub repository, the Go proxy, and the separate rss-digest skill. Run the sudo and go install commands only on a Linux system you control, and consider pinning package versions for more predictable installs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
README.md
sudo apt update
sudo apt install golang-go
...
go install github.com/odysseus0/feed/cmd/feed@latest

The skill instructs the user to run local shell commands that install system packages and a Go-based tool. This is disclosed and aligned with the RSS setup purpose, but it changes the user's environment.

User impactRunning these commands can modify the local or cloud system by installing software.
RecommendationRun the commands only in an environment you control, review what will be installed, and avoid using sudo unless you are comfortable with the system changes.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
README.md
export GOPROXY=https://goproxy.cn,direct
# Install feed
go install github.com/odysseus0/feed/cmd/feed@latest

The feed tool is installed from a remote GitHub module using the moving @latest version and a third-party Go proxy. This is expected for the setup, but the exact installed code can change over time.

User impactA future or compromised upstream package, mirror, or dependency could affect what gets installed.
RecommendationVerify the upstream repository and Go proxy, and prefer pinning a known version instead of using @latest when possible.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
README.md
The rss-digest skill must be installed separately

The skill depends on another OpenClaw skill for importing and aggregating feeds. This is purpose-aligned, but users should evaluate that separate skill independently.

User impactInstalling another skill may add behavior or permissions not described by this skill's artifacts.
RecommendationReview the rss-digest skill's own source, permissions, install steps, and data handling before installing it.