Follow News
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: follow-news Version: 0.1.0 The skill is a complex news aggregation pipeline that utilizes multiple Python scripts (e.g., `run-pipeline.py`, `fetch-github.py`) to collect data from RSS, Twitter, and GitHub. It exhibits several 'risky capabilities' as defined in the analysis criteria, including extensive outbound network access to various APIs and the handling of numerous sensitive environment variables/API keys. Furthermore, the skill employs `subprocess` calls to execute system commands like `openssl` and `gh`, and supports browser automation via `OpenCLI` to bypass Twitter API limits. While these behaviors appear aligned with the stated purpose of news gathering, the combination of shell execution, browser control, and secret handling warrants a suspicious classification for further manual code audit.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not work as installed, or a user may need to obtain unreviewed code from an external source to make it functional.
The skill relies on helper scripts such as run-pipeline.py, validate-config.py, and source fetchers, but the provided manifest lists only SKILL.md and no install spec/code files. That limits review of the actual runnable implementation.
Run `run-pipeline.py` first, then render with the requested template.
Use only a verified repository/version and review the referenced scripts before running them or giving them credentials.
If over-scoped or mishandled, these credentials could expose provider accounts or GitHub App access.
The skill discloses optional provider credentials for Twitter/X, search, and GitHub access. These are purpose-aligned for collecting news and rate-limit handling, but they are sensitive account credentials.
GETX_API_KEY ... X_BEARER_TOKEN ... TWITTERAPI_IO_KEY ... GITHUB_TOKEN ... GH_APP_KEY_FILE ... Path to GitHub App private key PEM file
Provide only the minimum read-only credentials needed, avoid broad GitHub tokens/private keys where possible, and rotate any key used with unreviewed helper scripts.
Running the skill may open or close browser tabs/windows and could use the active account context depending on the OpenCLI setup.
The skill may use OpenCLI/browser automation for X/Twitter collection. This is disclosed and aligned with KOL monitoring, but browser automation can interact with user sessions or browser windows.
OPENCLI_CLOSE_TABS_AFTER_RUN ... close OpenCLI-created X/Twitter tabs ... OPENCLI_CLOSE_CHROME_WINDOWS_AFTER_RUN ... close Chrome automation windows opened by OpenCLI on macOS
Run browser-backed collection in a dedicated browser profile/account and confirm what OpenCLI can access before using it.