ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Aggregator Skill

v0.1.0

Comprehensive news aggregator that fetches, filters, and deeply analyzes real-time content from 8 major sources: Hacker News, GitHub Trending, Product Hunt, 36Kr, Tencent News, WallStreetCN, V2EX, and Weibo. Best for 'daily scans', 'tech news briefings', 'finance updates', and 'deep interpretations' of hot topics.

5· 3.8k·11 current·12 all-time
by@tonyliu9189
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (aggregating and deeply analyzing multiple news sources) is plausible, but the SKILL.md expects a local script (scripts/fetch_news.py) and template files that are not present in the bundle. That mismatch means the skill as-published cannot operate without additional code or environment-provided tools.
!
Instruction Scope
Instructions direct the agent to run a local Python scraper, perform a broad 'deep' fetch that downloads and extracts article content, read templates.md from the skill directory, and write timestamped reports to reports/. Because no code or templates are included, the agent may attempt to locate or fetch missing files or run arbitrary local commands — giving it broad filesystem and network actions beyond the stated passive-aggregation description.
Install Mechanism
There is no install spec (instruction-only). That reduces installer risk because nothing is automatically downloaded or written by an installer. However, runtime commands still expect external scripts to exist.
Credentials
The skill requests no environment variables, credentials, or config paths — which is proportionate for a read-only aggregator. Notably, it plans to fetch content from third-party sites without asking for credentials.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does instruct saving reports to a reports/ directory (writing files), which is a modest persistence requirement but not an elevated platform privilege. Still, writing content fetched from arbitrary URLs can consume storage and persist potentially sensitive material.
What to consider before installing
This skill's instructions assume there is a local script (scripts/fetch_news.py) and template files, but the package contains only SKILL.md — nothing to run. Before installing or invoking it, consider: 1) Ask the publisher for the missing scripts and templates or for a trusted source/repository URL so you can review the code. 2) If you must run it, run in a sandboxed environment (network- and filesystem-restricted) so the agent cannot fetch arbitrary code or read unrelated files. 3) Review any scripts (fetch_news.py, templates.md) yourself for scraping behavior, third-party libraries, and any places that might exfiltrate data. 4) Be aware it will download and extract article content (--deep) and save reports to disk; ensure you are comfortable with storing potentially copyrighted or sensitive content. 5) If you cannot obtain or inspect the missing files, do not enable the skill — the mismatch between description and required runtime files is a legitimate red flag.

Like a lobster shell, security has layers — review code before you run it.

latestvk973y2xvmy12hz968638a4knxn800wds

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments