Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
News Evening Digest - 新闻晚报
v1.0.0每天晚上 8 点自动推送全球新闻晚报到 QQ 和飞书,参考 World Monitor 数据源
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (evening news pushed to QQ/Feishu) match the included script's apparent goal, but the package metadata claims no required env/config while SKILL.md and the script clearly expect credentials (Feishu webhook, Tavily API key). The SKILL.md mentions World Monitor and WORLD_MONITOR_API but the script uses a Tavily API and expects TAVILYAPIKEY; this mismatch is incoherent with the stated registry requirements.
Instruction Scope
SKILL.md instructs storing API keys in ~/.openclaw/.env and scheduling a cron job to run the script — reasonable for a push skill — but it also references a separate 'Multi-Source-Research' capability and Tavily/Tavily Search. The runtime script issues outbound HTTP requests and expects other search/monitoring integration; the SKILL.md gives broad discretion for multi-source aggregation without describing privacy/scope controls. There are also code-level issues (the script calls tavily_search in one place though only multi_source_search is defined) indicating runtime errors or hidden behavior.
Install Mechanism
No install spec (instruction-only plus a script). Nothing is downloaded during install and no packages are auto-installed by the skill definition — lowest install risk. The only artifact is a Python script that will run when scheduled.
Credentials
SKILL.md documents FEISHU_WEBHOOK_URL and WORLD_MONITOR_API, but the code reads TAVILYAPIKEY (env name 'TAVILYAPIKEY') and MULTI_SOURCE_ENABLED. The registry declares no required env vars. This mismatch means required credentials are not declared to the platform and could be overlooked by a user; also storing secrets in ~/.openclaw/.env is suggested but not enforced or secured.
Persistence & Privilege
Skill is not always-enabled and does not request special platform privileges. It only instructs the user to add a cron job (or OpenClaw cron) — normal for scheduled tasks. No evidence it modifies other skills or system-wide settings.
What to consider before installing
Do not install blindly. Actionable checks before use:
- Inspect the full fetch_and_digest.py (the provided file is truncated) and confirm where and how it sends data (Feishu webhook URL, any other endpoints). Ensure no hidden/external endpoints beyond explained APIs.
- Fix env var mismatches: SKILL.md mentions FEISHU_WEBHOOK_URL and WORLD_MONITOR_API but the script requires TAVILYAPIKEY and optionally MULTI_SOURCE_ENABLED. Make environment requirements explicit in the registry and SKILL.md.
- Verify and test locally in a sandbox/VM: run the script manually, confirm it only performs expected HTTP requests to documented services (Tavily, World Monitor, Feishu), and inspect request payloads.
- Audit dependencies: identify whether this skill expects a separate 'Multi-Source-Research' skill — if so, review that skill too before connecting them.
- Protect secrets: do not store webhook/API keys in shared plaintext files without appropriate file permissions; consider using a secrets manager or platform-provided secure env storage.
- Limit blast radius: if adding the cron job, start with a test schedule and a test Feishu/QQ bot (not a production channel) to verify content and avoid accidental posting of sensitive material.
- If you are not comfortable auditing the script, treat this as untrusted code and avoid granting it network/cron access. Fix the code issues (undefined function calls, inconsistent env names) before relying on it.Like a lobster shell, security has layers — review code before you run it.
latestvk97cwykwm51ycema0dattjvp5s83xf2h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.