Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
newsnow
v1.0.0CLI tool to fetch trending news and hot topics from 66 sources across 44 platforms. Returns structured news items with titles, URLs, and metadata. USE FOR: -...
⭐ 11· 1.1k·9 current·9 all-time
bychencheng (云谦)@sorrycc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a Node.js CLI (newsnow) and explicitly says "Requires npm install" / suggests using npx. The registry entry, however, declares no install spec, no source/homepage, and no required binaries. That mismatch (describing a package but providing no origin or install instructions) is disproportionate to the stated purpose because an agent or user following the README would fetch code from npm with npx without the registry vetting where it comes from.
Instruction Scope
The instructions themselves are narrowly scoped to running the newsnow CLI and using --json; they do not instruct reading unrelated files or exfiltrating data. However they direct the operator/agent to run npm/npx to fetch external code at runtime (implicit network fetch and execution), which expands the attack surface beyond a pure instruction-only skill.
Install Mechanism
There is no install spec in the registry, yet SKILL.md requires npm install / suggests npx. That means the expected install comes from the public npm registry (or npx resolving a package) but the package name, publisher, and homepage are not provided in the skill metadata — making it unclear what will be downloaded and executed. Instruction-only skills that tell agents to npx unknown packages create higher risk.
Credentials
SKILL.md lists PRODUCTHUNT_API_TOKEN as required for the producthunt source, but the registry's required env vars list is empty. This inconsistency means an agent or user may be asked for a secret that wasn't declared up-front. The single env var is plausible for Product Hunt integration, but it should be declared in the metadata.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not appear to modify other skills or agent configs. Autonomous invocation is allowed (default) but not combined with other high-privilege requests.
What to consider before installing
This skill's README expects you to install/run a Node package (npx newsnow) but the registry gives no package URL, homepage, or install spec and fails to declare the PRODUCTHUNT_API_TOKEN env var it mentions. Before installing or running this skill: 1) find the npm package name and publisher and verify the project homepage/source code and maintainer reputation; 2) avoid supplying secrets (API tokens) until you confirm the package's source and intent; 3) prefer running npx in an isolated environment (container or sandbox) and inspect the fetched package contents before execution; 4) if you can't find a trustworthy upstream (GitHub project, homepage, clear publisher), treat the package as untrusted and do not run it.Like a lobster shell, security has layers — review code before you run it.
latestvk970wdfb60twzt7f0thh339xfs81s3rn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.