ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

每日要闻(可定制版)· Customizable Daily Briefing

v1.1.3

Multi-source AI/Tech news aggregator with intelligent daily briefings. Covers AI, technology, finance, and world events — with hot/cold ranking and source at...

0· 112·0 current·0 all-time
by@sweesama
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to aggregate AI/tech news using Twitter (bird CLI) or Grok API and the SKILL.md provides workflows for both backends; the required tools and searches are coherent with a news‑aggregator purpose.
!
Instruction Scope
Runtime instructions explicitly direct the user/agent to read and load local credential files (~/.agent-reach-twitter.env and ~/.grok-api-key), extract Chrome cookies (auth_token, ct0), install and run third‑party CLIs (agent-reach, bird), perform many web_search/web_fetch calls, and add scheduled cron jobs. The SKILL.md operates on local credential files and instructs loading them into process environment variables — these actions involve sensitive data and are not declared in the skill metadata.
Install Mechanism
There is no automated install spec in the registry (instruction‑only), but the docs ask users to pip install agent-reach and npm -g install @steipete/bird. Manual installs reduce automatic risk but require trusting third‑party packages; no suspicious download URLs are present, but global npm installs and pip packages should be vetted.
!
Credentials
Although the skill metadata lists no required env vars, the instructions require session cookies (AUTH_TOKEN, CT0) or a Grok API key and show commands to store/load them from local files. This is proportionate to the Twitter/Grok backends, but the discrepancy between declared metadata and the credential handling in SKILL.md should be flagged and the practice of storing session cookies in plaintext is risky.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges. It suggests adding scheduled cron jobs via openclaw cron (user‑driven action). There is no instruction to modify other skills or system configs beyond the user's own scheduling/credential files.
What to consider before installing
This skill appears to do what it says (aggregate news) but it requires you to install third‑party packages and to supply sensitive credentials: either Twitter session cookies copied from your browser (auth_token and ct0) or a Grok API key saved in a local file. Before installing or using it: (1) verify and trust the upstream packages (agent‑reach, @steipete/bird) and consider installing them in an isolated environment; (2) avoid storing browser session cookies in plaintext if possible — prefer API keys with limited scope and rotate them after use; (3) understand that using Twitter cookies may expose your account/session if mishandled; (4) ask the skill author to declare required credentials in the registry metadata and to provide a safer auth flow; (5) review any commands you run (especially global npm installs and cron entries) and test in a disposable environment if you are unsure.

Like a lobster shell, security has layers — review code before you run it.

latestvk979d0t006gmk9hnbvscnyjxy583zy7p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments