ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Summarizer

v1.0.0

Fetch and summarize world news from BBC, Reuters, NPR RSS feeds. Can create voice summaries. USE WHEN: "What's happening in the world?", daily briefings, gen...

0· 54·0 current·0 all-time
by@terrycarter1985
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and description claim RSS-based text and voice summaries; the SKILL.md shows exactly that (curl RSS, parse, summarize, call TTS). However the runtime instructions reference an OPENAI_API_KEY for TTS while the skill metadata declares no required env vars — this mismatch is unexplained.
Instruction Scope
Instructions are concrete: fetch public RSS with curl, parse with grep/sed, summarize, and call OpenAI TTS. They write audio to /tmp/news.mp3. The instructions do not ask for unrelated files or secrets beyond the OpenAI key, but they do perform network calls and write to disk (temporary file). The use of $OPENAI_API_KEY is explicit in SKILL.md but not declared in metadata.
Install Mechanism
No install spec and no code files (instruction-only). This minimizes disk-install risk — the skill relies on existing tools (curl, grep, sed).
!
Credentials
Metadata requests no environment variables, yet the runtime TTS example uses $OPENAI_API_KEY. Requiring an OpenAI API key for TTS would be proportionate to the stated feature, but the missing declaration is an inconsistency that could lead to accidental credential exposure or confusion about which key/scope is used.
Persistence & Privilege
always is false and there is no install or persistent configuration. The skill does instruct writing a /tmp file, which is normal for temporary audio output, but it does not request elevated or permanent privileges.
What to consider before installing
This skill appears to do what it says (fetch RSS, produce text and voice summaries), but there are a few issues to consider before installing: - SKILL.md uses $OPENAI_API_KEY for TTS but the skill metadata does not declare any required env vars. Confirm whether the skill will need your OpenAI key and what key scope it requires. Do not provide higher-privilege keys than necessary. - The skill will make outbound network requests (curl to news sites and to api.openai.com). If you install it, be comfortable with the agent making those calls autonomously when invoked. - It writes temporary audio to /tmp/news.mp3; ensure your environment's temp handling and permissions are acceptable. - Source/homepage are unknown and there's no code review surface (instruction-only). If you need stronger assurance, ask the publisher for a verified source, or request that the skill metadata be updated to declare OPENAI_API_KEY as a required env var and document intended key scope and data handling (what summary text is sent to the TTS API). If you are okay with the agent using your OpenAI key for TTS and making network calls to public RSS feeds, the functionality is coherent. If not, do not install until the metadata and provenance are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f73sdnwgks6mjyf11tjdfax84f1yv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments