fastfish-hot-news-push 每日新闻热点推送(可设过滤词)
PassAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed hot-news notification skill that uses external scripts, messaging credentials, and scheduled jobs, with no artifact-backed evidence of hidden or malicious behavior.
Before installing, review the external GitHub repository and dependencies, pin the documented release tag, run it in an isolated environment, configure only the messaging credentials you actually need, and keep track of any cron jobs you create.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the external repository or dependencies are compromised, local code could run with the user's permissions.
The skill depends on external repository code and Python dependencies that were not included in the provided artifact set, though the documentation clearly discloses this and recommends pinning and isolation.
本 Skill 会指导安装并运行来自 GitHub 的第三方仓库。供应链风险:clone + pip install 会执行外部代码
Review the GitHub repository and requirements, pin a trusted release tag, use a virtual environment or container, and avoid running as root.
The agent may run local project scripts that fetch data, write to the project's database, or send configured notifications.
The skill authorizes direct local command execution, but narrows it to specific documented scripts and explicitly forbids arbitrary commands.
必须使用 `system.run` 执行脚本命令... system.run 仅执行本 Skill 文档列出的脚本
Only invoke the skill for the documented news-push tasks, verify script paths before running, and do not approve arbitrary command substitutions.
Anyone with these credentials may be able to post to the configured chat or messaging channel.
The skill requires messaging webhooks or bot tokens to push notifications; these credentials are expected for the purpose, and the document tells the agent not to print them.
"env": ["HOT_PUSH_FEISHU_WEBHOOK", "HOT_PUSH_DINGTALK_WEBHOOK", "HOT_PUSH_DINGTALK_SECRET", "HOT_PUSH_TELEGRAM_BOT_TOKEN", "HOT_PUSH_TELEGRAM_CHAT_ID"]
Configure only the channel you need, store secrets in .env or OpenClaw environment settings, do not share them in group chats, and rotate tokens if exposed.
The news-push task may keep running on a schedule until the user disables or removes it.
The skill documents recurring scheduled jobs for daily news pushes. This is purpose-aligned and disclosed, but it creates persistent activity.
openclaw cron add --name "每日热点" --cron "0 8 * * *" ...
Create scheduled jobs only when you want ongoing pushes, record the job IDs, and remove or update them when the schedule is no longer desired.