ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

RSS Summarizer

v1.0.0

智能 RSS 订阅与摘要。用于订阅、抓取、过滤和摘要 RSS/Atom 订阅源。当用户需要跟踪新闻、博客更新并提供摘要时使用。

0· 82·0 current·0 all-time
by@wanan9812

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wanan9812/rss-summarizer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "RSS Summarizer" (wanan9812/rss-summarizer) from ClawHub.
Skill page: https://clawhub.ai/wanan9812/rss-summarizer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install rss-summarizer

ClawHub CLI

Package manager switcher

npx clawhub@latest install rss-summarizer
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description promise subscription, fetching, filtering and summarization. The code implements subscription management, fetching, filtering, formatting (markdown/plain/json) and local persistence — but it does not implement any summarization logic and does not invoke any external 'oracle' CLI. The SKILL.md mentions push/notification to chat via a context.send function, but the provided script wrappers don't accept a callable send function from stdin. In short: core RSS management is coherent, but promised summarization and notification capabilities are not present in the implementation.
!
Instruction Scope
SKILL.md tells the AI to call scripts with JSON via stdin and to pass a context.send function; in practice stdin cannot carry a JS function and the provided script wrappers read only JSON and don't wire up a send function. SKILL.md also notes summaries depend on an external 'oracle' CLI (and could encourage the agent to call such tooling), but none of the scripts call external CLIs. The instructions are therefore ambiguous/misleading and could cause the agent to try actions outside the skill's real behavior.
Install Mechanism
No install spec is provided (instruction-only style with code files). Dependencies are standard npm packages (rss-parser and its dependencies) as shown in package.json/package-lock.json. No downloads from arbitrary URLs or extract steps are present in the manifest.
Credentials
The skill declares no environment variables or credentials, which matches the code. However SKILL.md's mention of an external AI 'oracle' CLI implies additional tooling/credentials might be needed; those are not declared or implemented. Also the code performs outbound HTTP requests when fetching feeds (via rss-parser), which is appropriate but means feed URLs could cause network requests to arbitrary endpoints (consider SSRF/internal network risks if untrusted feeds are added).
Persistence & Privilege
The skill stores data under its own data directory (data/subscriptions.json and data/config.json) and only reads/writes those files. It does not request system-wide config changes, additional persistent privileges, or always:true. This is proportionate for a subscription manager.
What to consider before installing
This skill is coherent for subscribing, fetching and formatting RSS feeds and storing them locally, but its documentation overpromises: it mentions "summarization via oracle CLI" and passing a context.send function for notifications, yet the code does not implement those. Before installing: (1) ask the publisher to clarify or implement summarization and notification (and to declare any required CLI/tools or credentials); (2) if you expect summarization, require that the skill either call a declared, auditable service or expose a documented hook — do not let the agent invent commands; (3) be aware the skill will perform outbound HTTP requests for any feed URL you add (this can be abused to probe internal networks), so run the skill in a restricted/sandboxed environment and vet feed URLs; (4) npm dependencies are normal but ensure you install packages from a trusted environment and review package-lock for supply-chain concerns; (5) if you want notifications, confirm a concrete mechanism (e.g., an API endpoint or an explicit send script) rather than the current undocumented context.send approach.

Like a lobster shell, security has layers — review code before you run it.

latestvk978cvfnvhw5gqeaw88te7d4a9841r73newsvk978cvfnvhw5gqeaw88te7d4a9841r73productivityvk978cvfnvhw5gqeaw88te7d4a9841r73rssvk978cvfnvhw5gqeaw88te7d4a9841r73summarizationvk978cvfnvhw5gqeaw88te7d4a9841r73
82downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@wanan9812
latestnewsproductivityrsssummarization
Download

RSS Summarizer Skill

本技能提供 RSS 订阅源管理、抓取和摘要功能。

何时使用

  • 用户希望订阅某个 RSS/Atom feed
  • 需要定期获取最新内容并摘要
  • 需要根据关键词过滤内容
  • 需要将更新推送到聊天或保存为文档

可用脚本

  • scripts/add.js - 添加订阅源
  • scripts/list.js - 列出所有订阅源
  • scripts/remove.js - 删除订阅源
  • scripts/fetch.js - 抓取最新内容并摘要
  • scripts/configure.js - 配置参数(摘要模式、语言、最大条目、过滤器)

使用方法

AI 在响应用户请求时,应调用相应的脚本,传入 JSON 参数(通过 stdin),并返回 JSON 结果。

脚本通用输入/输出格式:

输入 (stdin):

{
  "context": { "send": function } // 可选,用于通知用户
  ... 具体参数(见各脚本)
}

输出 (stdout):

{
  "success": true,
  "message": "...",
  "data": { ... }
}

示例

用户说:“订阅 Hacker News 的 RSS” AI 调用 scripts/add.js:

{ "url": "https://news.ycombinator.com/rss", "name": "Hacker News" }

AI 收到响应后向用户确认。

数据存储

脚本使用 data/subscriptions.jsondata/config.json 存储数据。首次运行会自动创建。

备注

  • 抓取时若网络错误会返回 error 字段。
  • 摘要功能依赖外部 AI 服务(通过 oracle CLI),如需高级摘要可扩展。
  • 支持多语言输出,默认中文。

Comments

Loading comments...