Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code: both fetch Solidot articles and push or save content. However, the skill metadata declares no required binaries while the runtime scripts call external CLIs (openclaw browser commands and a feishu_doc CLI). That mismatch is an incoherence — those binaries/tools are needed for full functionality but are not declared.
Instruction Scope
SKILL.md limits runtime actions to running fetch.sh (or cron) and optionally setting FEISHU_DOC_TOKEN. The scripts only visit solidot.org (via browser or direct HTTP), build message content, and either write locally or attempt to write to a Feishu document. They do not read unrelated system files or transmit data to unexpected remote hosts.
Install Mechanism
No install spec (instruction-only plus bundled scripts). Nothing is downloaded or written by an installer; risk is low from install mechanism.
Credentials
The skill does not declare required env vars in registry metadata, but both SKILL.md and scripts accept FEISHU_DOC_TOKEN (and the shell script references FEISHU_APP_ID/FEISHU_APP_SECRET). Those env vars are proportional to pushing to Feishu, but the omission from metadata is an inconsistency the user should be aware of.
Persistence & Privilege
always is false and the skill does not request permanent presence or modify other skills or global agent settings. It may be invoked autonomously (default), which is normal.
Assessment
This skill is internally consistent with its stated purpose — it scrapes solidot.org and prepares a Feishu doc. Before installing: (1) be aware the scripts expect the openclaw browser commands and a feishu_doc CLI to be available (these are not declared in the registry metadata); if you don't have them the push step will fall back to saving locally. (2) The Python parser has a likely typo (a 'shref' regex) and may fail to extract articles — expect brittle parsing. (3) If you configure FEISHU_DOC_TOKEN, ensure the token's scope is limited to the document/space you intend; treat tokens like secrets. (4) Because the shell script starts a browser and navigates pages, run this in a trusted/sandboxed agent if you are concerned about browser-based actions. If you want higher assurance, review or run the scripts locally first and verify the presence and behavior of openclaw and feishu_doc CLIs.Like a lobster shell, security has layers — review code before you run it.
latest
n0nsense@n0nsense11
DownloadSolidot 资讯推送
抓取 Solidot (solidot.org) 的热门文章和最新文章,推送到飞书文档。
触发方式
当用户说:
- "推送 solidot"
- "抓取 solidot"
- "solidot 资讯"
使用方法
手动执行
bash ./fetch.sh
配置飞书推送(可选)
设置环境变量推送到飞书文档:
export FEISHU_DOC_TOKEN="你的飞书文档token"
定时任务
自动每天早上 8 点推送:
openclaw cron add \
--name "solidot每日资讯" \
--schedule "cron 0 8 * * * Asia/Shanghai" \
--agentTurn "执行命令: bash $SKILL_DIR/fetch.sh"
输出
生成飞书文档或本地文件,包含:
- 热门/最新文章 (最多15条)
- 文章标题、链接
文件位置
- 技能目录:
./(即$SKILL_DIR) - 推送脚本:
./fetch.sh - 本地保存:
$WORKSPACE/solidot-push.md
Comments
Loading comments...