ClawHub

AK RSS 24h Brief

PassAudited by VirusTotal on May 11, 2026.

Overview

Type: OpenClaw Skill Name: ak-rss-24h-brief Version: 0.1.2 The skill bundle is designed to fetch and summarize RSS/Atom feeds from an OPML list. The `scripts/generate_brief.py` script uses `urllib.request` to perform network calls to fetch the OPML file and subsequent RSS feeds, which is necessary for its stated purpose. It parses XML content using `xml.etree.ElementTree` and performs text processing and summarization. There is no evidence of intentional malicious behavior such as data exfiltration, unauthorized command execution, persistence mechanisms, or prompt injection attempts in `SKILL.md`. While the ability to fetch from arbitrary URLs via `--opml-url` could be a vulnerability in a different context (e.g., SSRF), it is a core, expected function of this skill and does not demonstrate malicious intent within the skill's code itself.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

Running the skill may contact up to many external feed servers and expose normal network metadata such as the user's IP address and request timing.

Why it was flagged

The skill is designed to fetch an OPML source and then fetch feed URLs listed inside it. This is expected for an RSS brief, but it means an untrusted OPML could cause outbound requests to many URLs.

Skill content
`--opml-url` / `--opml-file`: OPML source ... `--max-feeds`: max feeds to fetch (default `200`)
Recommendation

Use OPML files or URLs from trusted sources, lower `--max-feeds` if needed, and review custom OPML lists before using them.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users have less provenance information to help decide whether they trust the skill publisher.

Why it was flagged

The skill has limited provenance information and no homepage. The included behavior is simple and purpose-aligned, but users have less external context for the publisher or source.

Skill content
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Recommendation

Review the included script and prefer installing from publishers or repositories you trust.