Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Creator Alpha Feed
v1.0.8Collect and rank daily AI content for creator-focused publishing workflows. Use when users ask for AI topic scouting, KOL tracking (especially X/Twitter), practical tutorial picks, industry updates, or automated Feishu/Obsidian briefing pushes with configurable templates and time windows.
⭐ 0· 1.6k·4 current·5 all-time
by@rotbit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (AI content scouting, KOL/Twitter tracking, Obsidian/Feishu pushes) matches the included scripts: multiple collection scripts, ranking/analysis, and push guidance. However the skill metadata declares no required env vars or config paths while SKILL.md and scripts reference several environment variables and local paths (OBSIDIAN_CONFIG_PATH, OBSDIAN_REPORT_DIR, WORKSPACE_DIR, FEISHU_CHAT_ID/FEISHU_USER). That is an incoherence: the skill expects credentials/config but does not declare them.
Instruction Scope
SKILL.md instructs reading/writing real Obsidian vault paths, writing reports into specific directories, using OpenClaw browser/web_fetch and sessions_spawn tooling, and to pause for user login when needed. The bundled scripts perform wide web fetching (hn.algolia, reddit, TechCrunch via rss2json, rsshub.app, multiple Nitter instances) and write files under ~/.openclaw/workspace or the user's Obsidian vault. These actions are within the stated purpose but operate on local files and many remote endpoints — the instructions grant broad discretion to access web content and to write into user-owned directories that were not declared as required/configured in metadata.
Install Mechanism
No install spec (instruction-only in registry), which reduces distribution risk. However the skill bundle includes many shell scripts that will be present and runnable; they use curl/jq and rely on platform tooling (openclaw browser, sessions_spawn). There are no downloads from untrusted URLs nor archive extraction in the install phase, which is good, but the presence of executable scripts means executing them will perform network I/O and file writes.
Credentials
Although the registry lists no required environment variables or primary credential, the SKILL.md and scripts reference several environment variables (OBSIDIAN_CONFIG_PATH, OBSDIAN_REPORT_DIR, WORKSPACE_DIR, FEISHU_CHAT_ID, FEISHU_USER) and expect the agent to be able to send messages to Feishu and write into an Obsidian vault. Requesting or using chat IDs / messaging tokens and direct filesystem paths is proportionate to the stated push-to-Feishu / write-to-Obsidian functionality — but the fact these are not declared in the metadata is an inconsistency and makes it unclear what credentials the skill will need or try to use.
Persistence & Privilege
always is false and the skill does not request to be force-enabled. The scripts write to their own pipeline directories (e.g., ~/.openclaw/workspace/ai-content-pipeline) and to user-provided Obsidian paths; they do not modify other skills' configs or request elevated system-wide privileges. No evidence of automatic long-term persistence beyond normal files created under the user's workspace/vault.
What to consider before installing
This skill appears to implement the described content-collection and reporting workflow, but exercise caution before running it:
- The skill's metadata declares no environment variables, yet SKILL.md and the scripts expect environment variables and local paths (Obsidian vault paths, WORKSPACE_DIR, FEISHU_CHAT_ID/FEISHU_USER). Before installing or running, confirm which environment variables and credentials you will supply and why.
- Review the bundled scripts yourself (they are plain shell) — they make many network requests (hn.algolia, reddit, TechCrunch via rss2json, rsshub.app, multiple Nitter instances, etc.) and will write files into your home (~/.openclaw/workspace) and into the Obsidian vault path you provide. If you don't want external network access or writes into your vault, don't run them.
- If you plan to enable Feishu pushes, supply a dedicated chat/token with minimal scope; do not reuse high-privilege tokens. The scripts reference FEISHU_CHAT_ID/FEISHU_USER but do not handle token storage — determine how OpenClaw will authenticate pushes before providing credentials.
- Run in a sandbox or with restricted test vault/workspace first. Validate outputs and that no unexpected endpoints are contacted (check logs/collection.log). Monitor what the agent sends to sessions_spawn or other LLM calls — collected raw content is fed into AI analysis and could be transmitted externally.
- If you cannot or will not audit the scripts, avoid giving the skill write access to your real Obsidian vault or production workspace; instead provide a dedicated test folder and test credentials.
Given the undeclared env/config requirements and filesystem/network footprint, treat this skill as potentially risky until you confirm and control the environment it will run in.Like a lobster shell, security has layers — review code before you run it.
latestvk97d000y5rja6ejphr89cenbh180wpkf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.