ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

local-model-router

v1.0.1

自动生成科技新闻摘要。从多个来源(RSS、Twitter、GitHub、Web Search)抓取科技新闻,整合后生成摘要。

0· 183·0 current·0 all-time
by@ppop0uuiu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ppop0uuiu/local-model-router.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "local-model-router" (ppop0uuiu/local-model-router) from ClawHub.
Skill page: https://clawhub.ai/ppop0uuiu/local-model-router
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install local-model-router

ClawHub CLI

Package manager switcher

npx clawhub@latest install local-model-router
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Metadata name is 'local-model-router' while the description, SKILL.md, and code implement a tech-news digest — name/purpose mismatch. The README claims outputs like Discord/Email/PDF, but the included scripts only fetch RSS feeds and write local JSON/markdown/text files. Several optional API keys are listed in SKILL.md (Twitter, Brave, TAVILY, GitHub) but the provided Python scripts only read RSS feeds and do not call those services.
!
Instruction Scope
SKILL.md instructs creating a workspace config and running 'python3 scripts/run-pipeline.py' to produce output; no scripts/run-pipeline.py exists in the bundle. SKILL.md also promises parallel fetch from multiple sources (RSS, Twitter, GitHub, Web Search) and various output channels, but the actual scripts (fetch-news.py and daily-digest.py) only parse RSS feeds, translate text (optional), and save local files. The SKILL.md lists environment variables that the code does not read. This discrepancy grants the agent broad discretion without implementation to justify it.
Install Mechanism
No install spec (instruction-only), which minimizes installer risk. SKILL.md recommends 'pip install -r requirements.txt' and a requirements.txt is present (feedparser, requests, python-dateutil). However the code optionally imports deep_translator (GoogleTranslator) but deep_translator is not in requirements.txt, indicating incomplete dependency specification.
!
Credentials
SKILL.md lists multiple API keys as optional (TWITTERAPI_IO_KEY, X_BEARER_TOKEN, TAVILY_API_KEY, BRAVE_API_KEY, GITHUB_TOKEN) but none of the included scripts access these environment variables. Asking for many credentials unrelated to the provided implementation is disproportionate and could confuse users into supplying unnecessary secrets.
Persistence & Privilege
Skill is not always-enabled, does not request system-wide config changes, and does not declare required config paths or credentials. Scripts write files under scripts/workspace which is local and expected for this use case.
What to consider before installing
This package appears to be a simple RSS news summarizer, but there are clear inconsistencies you should consider before installing: the skill's registry name ('local-model-router') doesn't match its content; SKILL.md instructs running a non-existent 'scripts/run-pipeline.py'; it claims integration with Twitter/GitHub/Brave/Tavily and output channels (Discord/Email/PDF) that are not implemented in the included scripts; and the translator library used in code (deep_translator) is not listed in requirements.txt. Do not provide API keys unless you can confirm the code actually uses them. If you still want to use it, review the code locally, add the missing dependency (or remove unused env var prompts), and fix or implement the missing run-pipeline script or update SKILL.md to match the real behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk977qc5j59bcwzy5mw117b1hed833s57
183downloads
0stars
2versions
Updated 22h ago
v1.0.1
MIT-0
@ppop0uuiu
latest
Download

Tech News Digest

自动科技新闻摘要生成器。

功能

  • 从 6 个来源并行抓取新闻:RSS、Twitter、GitHub、Web Search 等
  • 自动去重、评分、排序
  • 支持 Discord、Email、PDF 模板输出

使用方法

配置

# 复制默认配置
mkdir -p workspace/config
cp config/defaults/sources.json workspace/config/
cp config/defaults/topics.json workspace/config/

环境变量(可选)

  • TWITTERAPI_IO_KEY - Twitter API
  • X_BEARER_TOKEN - X Twitter
  • TAVILY_API_KEY - 搜索 API
  • BRAVE_API_KEY - Brave Search
  • GITHUB_TOKEN - GitHub

生成摘要

python3 scripts/run-pipeline.py \
  --defaults config/defaults \
  --config workspace/config \
  --hours 48 \
  --output /tmp/td-merged.json

注意

  • 需要 Python 3
  • 需要安装依赖:pip install -r requirements.txt
  • 免费 API 额度有限

Comments

Loading comments...