ClawHub

ZAKER hot news 头条新闻

v1.0.6

获取ZAKER聚合权威媒体的最新头条新闻与热点资讯。Use when the user asks about 新闻, 头条, 最新新闻, 今日新闻, 热点新闻, 突发新闻, 国内外大事, 最近发生了什么, 有什么新鲜事, trending news, latest news, headlines, breakin...

1· 185·0 current·0 all-time
byZAKER@zaker-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim to aggregate ZAKER headlines and the skill provides a concrete API endpoint (https://skills.myzaker.com/api/v1/article/hot?v=1.0.3) and two scripts that call it — this is coherent with the stated purpose. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md specifies calling the listed API and returning a JSON object of articles; the shell script returns raw JSON (curl | jq) while the Python script prints human-readable text rather than returning the raw JSON object the SKILL.md claims the tool returns. The README also prescribes Markdown link formatting for output. These are functional mismatches (format/contract), not security escalations, but could cause runtime integration issues.
Install Mechanism
No install spec; the skill is instruction-only with small helper scripts. No downloads or archive extraction. Low installation risk.
Credentials
The skill requests no environment variables or credentials. It contacts a single HTTPS endpoint; no unrelated secrets or system paths are requested.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills' configs. It can be invoked by the agent (normal behavior).
Assessment
This skill appears coherent and low-risk: it fetches news from a single HTTPS endpoint, asks for no credentials, and has no installer. Before installing, consider verifying the endpoint owner since the skill's source/homepage is unknown (skills.myzaker.com appears to be a third-party domain). Also note two small implementation mismatches: the Python helper prints human-readable text instead of returning the JSON object described in SKILL.md, and the shell helper uses jq (optional) though required binaries list is empty — ensure the runtime environment can handle these differences. If you need stronger assurance, ask the publisher for a homepage or verify the domain's TLS certificate and privacy policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bb48z9xhnwyngkn86539n2d84yjj9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments