ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Smart Journal Monitor(RSS+AI)

v1.0.0

Use smart journal monitor for evidence insight workflows that need structured execution, explicit assumptions, and clear output boundaries.

1· 25·0 current·0 all-time
byAIpoch@aipoch-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description advertise 'RSS+AI' and "monitoring" of journals, but the only executable (scripts/main.py) performs a simple, local scoring of articles loaded from a provided JSON file or demo data. There is no RSS retrieval, no network or API calls, and no AI/model usage in the code. The SKILL.md also mentions a CONFIG block and packaged behavior not present in the script. The requested capabilities (RSS ingestion, AI analysis) are not implemented, so the declared purpose and actual capability are inconsistent.
Instruction Scope
SKILL.md instructs the agent to validate inputs and run the packaged script (python -m py_compile and python scripts/main.py --help), which matches the code's CLI. However, the documentation references additional artifacts (a CONFIG block, packaged RSS/AI workflows, and 'references/' guidance) that are not implemented or are only minimal. The instructions do not ask for unrelated system files or credentials, and the runtime behavior described (no external API calls) matches the code.
Install Mechanism
There is no install specification — this is instruction-only with a small included Python script. That is low-risk from an installation perspective; nothing is downloaded or installed by the skill itself.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The script operates on local JSON input passed via --articles, so no extra environment or secrets are requested — this is proportionate to the implemented functionality.
Persistence & Privilege
always is false and the skill does not request persistent presence or modify agent/system configuration. It only contains a CLI script intended for on-demand invocation.
What to consider before installing
This skill is internally inconsistent: it advertises 'RSS+AI' monitoring but the shipped script only scores local JSON articles and makes no network or model calls. Before installing or using it: 1) ask the author to explain where RSS ingestion and AI processing are implemented (or provide the missing code/config); 2) review the script yourself (or have someone you trust do so) and confirm it matches your expectations; 3) if you plan to run it, test using the demo flag and sample JSON in a sandboxed environment and avoid supplying sensitive data in the --articles file; 4) consider asking for version-pinned dependencies and a clear CONFIG or README that documents real inputs/outputs. The mismatch may be benign (unfinished or placeholder skill) but do not assume it provides the advertised RSS/AI capabilities without further clarification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97560nbcbeycf80e3qhr8x58x840s7d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments