FreshRSS Reader
v1.0.0Query headlines and articles from a self-hosted FreshRSS instance. Use when the user asks for RSS news, latest headlines, feed updates, or wants to browse articles from their FreshRSS reader. Supports filtering by category, time range, and count.
⭐ 3· 2.4k·5 current·6 all-time
by@nickian
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The script's purpose (querying a FreshRSS instance via the Google Reader API) matches the skill name/description. However, the skill metadata declares no required environment variables or binaries while both SKILL.md and scripts/freshrss.sh require FRESHRSS_URL, FRESHRSS_USER, and FRESHRSS_API_PASSWORD and rely on external tools (curl, jq, date). The declared metadata therefore understates what the skill needs.
Instruction Scope
Runtime instructions limit actions to calling the user's FreshRSS instance API and formatting results. The SKILL.md tells the agent to set three FreshRSS-related env vars and invoke the included script. The script only communicates with the FRESHRSS_URL host and does not call any other remote endpoints.
Install Mechanism
There is no network install step or external download — this is an instruction-only skill with an included shell script. Nothing is fetched from arbitrary URLs or extracted to disk during install.
Credentials
The skill actually requires three sensitive environment variables (FRESHRSS_URL, FRESHRSS_USER, FRESHRSS_API_PASSWORD) but the registry metadata lists none and has no primary credential. That mismatch is problematic: the skill expects credentials that are not declared in its manifest. The required env vars are appropriate for the stated purpose, but the manifest omission is an incoherence that can mislead users and automated permission reviews.
Persistence & Privilege
The skill does not request permanent presence (always:false), does not modify other skills or system configs, and does not persist credentials. It runs only when invoked and only accesses the FreshRSS instance provided by the user.
What to consider before installing
This skill appears to legitimately query a FreshRSS instance, but the package metadata is inconsistent with the actual code and instructions. Before installing or enabling it:
- Treat it as needing three sensitive environment values (FRESHRSS_URL, FRESHRSS_USER, FRESHRSS_API_PASSWORD). Only provide those for a FreshRSS instance you control or trust.
- The script requires curl and jq (and relies on OS-specific date behavior); ensure those tools are available and consider adding them to the manifest.
- Because the manifest omitted required credentials, automated permission checks may not catch that it needs secrets — don't assume lack of declared env vars means no credentials are used.
- Inspect the script locally yourself (or run it in an isolated environment) before giving it access to real credentials. The script prints the server response on auth failure, which could leak information — consider sanitizing error output.
- If you plan to use it long-term, ask the publisher to fix the manifest: declare the required env vars and list required binaries, and consider safer error handling.
If you cannot verify the source or are uncomfortable supplying your FreshRSS API password, do not install or enable this skill.Like a lobster shell, security has layers — review code before you run it.
latest
FreshRSS
Query headlines from a self-hosted FreshRSS instance via the Google Reader compatible API.
Setup
Set these environment variables:
export FRESHRSS_URL="https://your-freshrss-instance.com"
export FRESHRSS_USER="your-username"
export FRESHRSS_API_PASSWORD="your-api-password"
API password is set in FreshRSS → Settings → Profile → API Management.
Commands
Get latest headlines
{baseDir}/scripts/freshrss.sh headlines --count 10
Get headlines from the last N hours
{baseDir}/scripts/freshrss.sh headlines --hours 2
Get headlines from a specific category
{baseDir}/scripts/freshrss.sh headlines --category "Technology" --count 15
Get only unread headlines
{baseDir}/scripts/freshrss.sh headlines --unread --count 20
Combine filters
{baseDir}/scripts/freshrss.sh headlines --category "News" --hours 4 --count 10 --unread
List categories
{baseDir}/scripts/freshrss.sh categories
List feeds
{baseDir}/scripts/freshrss.sh feeds
Output
Headlines are formatted as:
[date] [source] Title
URL
Categories: cat1, cat2
Notes
- Default count is 20 headlines if not specified
- Time filtering uses
--hoursfor relative time (e.g., last 2 hours) - Category names are case-sensitive and must match your FreshRSS categories
- Use
categoriescommand first to see available category names
Comments
Loading comments...