ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw News Watcher

Monitors CoinDesk or PANews for new crypto articles, summarizes them, and sends updates to Telegram without API keys or login.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 43 · 0 current installs · 0 all-time installs
by@vvxer
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (monitor CoinDesk / PANews, summarize, send Telegram) aligns with required items: the script uses Playwright to fetch pages, computes hashes, calls a local OpenClaw agent (OPENCLAW_MJS) to summarize, and uses openclaw message send to deliver to TELEGRAM_USER_ID. No unrelated credentials or services are requested.
Instruction Scope
SKILL.md and scripts instruct the agent to launch Playwright, read/write a local cache (~/.openclaw/cache/news-hash.json), and invoke node OPENCLAW_MJS to run the OpenClaw agent and send Telegram messages. This is coherent with the skill, but the code executes the provided OPENCLAW_MJS (arbitrary local JS) via execFileSync — that means the skill will run whatever code is pointed to by OPENCLAW_MJS, so that path must point to a trusted OpenClaw installation.
Install Mechanism
There is no install spec in the registry (instruction-only skill), but package.json and README expect you to run npm install to get Playwright. No remote download URLs or extract steps embedded in the skill. Dependencies (playwright) are expected for browser automation; the 'crypto' dependency is unnecessary because Node provides crypto natively, but this is not a direct security issue.
Credentials
Required env vars are limited to OPENCLAW_MJS and TELEGRAM_USER_ID (plus optional CHROME_PATH and PLAYWRIGHT_HEADLESS). These map to the stated behavior. Caveat: giving the skill a path to OPENCLAW_MJS effectively grants it the ability to run that local script and any actions it performs (including sending messages using configured credentials). This is functionally necessary for the design but increases trust requirements around the provided openclaw.mjs.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and only writes to its own cache under the user's home (~/.openclaw/cache/news-hash.json). No elevated persistence or system-wide config changes are requested.
Scan Findings in Context
[child_process.execFileSync] expected: scripts/watch-news.js uses execFileSync to run 'node OPENCLAW_MJS ...' to call the OpenClaw agent and send messages. This is necessary for the skill's design but means the provided OPENCLAW_MJS will be executed — ensure that file is trusted.
[playwright_network_fetch] expected: The script uses Playwright to visit CoinDesk and PANews to fetch pages and extract article content. Network access to those sites is required for the stated purpose.
[writes_user_cache] expected: The script reads/writes ~/.openclaw/cache/news-hash.json to persist last-seen hash. That matches the documented caching behavior.
[package_dep_crypto] unexpected: package.json lists an external 'crypto' dependency even though Node provides crypto built-in. This appears unnecessary but not directly malicious; may be a packaging oversight.
Assessment
This skill appears to do what it says: it scrapes configured sites, summarizes articles by calling your local OpenClaw agent, and sends messages to the Telegram chat ID you provide. Before installing or running it: (1) Verify OPENCLAW_MJS points to a legitimate OpenClaw installation you trust — the skill will execute that file. (2) Inspect scripts/watch-news.js yourself (it is included) to confirm it matches expectations. (3) Be aware OpenClaw (the target of OPENCLAW_MJS) will perform the actual Telegram sending and may have its own credentials; ensure those are configured securely and not exposing other recipients. (4) Run npm install (playwright) in a controlled environment and ensure you have the appropriate Node version and Chromium available. (5) If you want extra isolation, run the skill in an isolated user account or container so the cache and executed processes are separated from sensitive files. If you cannot verify OPENCLAW_MJS or the OpenClaw installation, do not set that environment variable or do not run the skill.
scripts/watch-news.js:19
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.3
Download zip
latestvk9738rhej1am2hvy4rt2qxwsmh831m30

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

News Watcher - 实时加密新闻监听 Skill

使用 Playwright 实时监听虚拟货币新闻网站,检测新文章发布并自动抓取全文、AI 总结、推送 Telegram。

完全开源透明 · 源码 + 运行截图:https://github.com/vvxer/openclaw-news-watcher

功能

  • 🎯 实时监听 CoinDesk、PANews 等新闻网站
  • 🔍 通过 URL 哈希变化检测新文章(不依赖 RSS / API)
  • 📰 自动抓取新文章全文
  • 🤖 调用 OpenClaw AI Agent 生成中文摘要
  • 📢 推送摘要到 Telegram
  • ⏱️ 可配置检查间隔(默认 60 秒)

环境变量(必须设置)

变量必填说明
OPENCLAW_MJS✅ 必填openclaw.mjs 的完整路径,用于调用 AI Agent 和发送消息
TELEGRAM_USER_ID✅ 必填Telegram 收件人 Chat ID
CHROME_PATH可选本地 Chrome 路径;未设置时按平台自动检测
PLAYWRIGHT_HEADLESS可选设为 false 显示浏览器窗口(调试用),默认 true
# Windows PowerShell
$env:OPENCLAW_MJS = "D:\openclaw\node_modules\openclaw\openclaw.mjs"
$env:TELEGRAM_USER_ID = "你的ChatID"

# Linux / macOS
export OPENCLAW_MJS="/path/to/openclaw.mjs"
export TELEGRAM_USER_ID="你的ChatID"

基础用法

监听 CoinDesk(默认)

node {baseDir}/scripts/watch-news.js

监听其他网站

node {baseDir}/scripts/watch-news.js --site panews
node {baseDir}/scripts/watch-news.js --site coindesk --interval 120

参数

  • --site <name> - 网站名称(支持: coindesk, panews
  • --interval <seconds> - 检查间隔(秒),默认 60

工作原理

  1. 打开浏览器 - 使用 Playwright 加载新闻网站主页
  2. 提取最新文章 - 获取置顶文章链接
  3. 计算哈希 - 对文章 URL 做 MD5 哈希
  4. 对比检测 - 与上次保存的哈希对比
  5. 发现新文章 - URL 变化说明有新文章置顶
  6. 抓取全文 - 打开文章页面抓取正文
  7. AI 总结 - 调用 openclaw agent 生成中文摘要
  8. 推送通知 - 调用 openclaw message send 发送到 Telegram

缓存位置

新闻哈希缓存存储在:~/.openclaw/cache/news-hash.json

与 OpenClaw Cron 集成

方案 1:高频后台监听(推荐)

node ~/.openclaw/workspace/skills/news-watcher/scripts/watch-news.js --site coindesk --interval 60

方案 2:通过 OpenClaw Agent 调用

openclaw agent --message "监听 CoinDesk 新闻,有更新就通知我" --timeout 600

方案 3:每日新闻摘要 Cron

openclaw cron add \
  --name "Morning News Digest" \
  --cron "0 7 * * *" \
  --tz "Asia/Shanghai" \
  --session isolated \
  --message "总结过去一晚上的加密新闻,列出前 3 个重点" \
  --announce \
  --channel telegram \
  --to "$TELEGRAM_USER_ID"

已支持的网站

网站site 参数说明
CoinDeskcoindesk全球权威加密新闻
PANewspanews中文区块链新闻

添加新网站

编辑 watch-news.js,在 sites 对象中添加:

const sites = {
  coindesk: { /* ... */ },
  mynews: {
    url: 'https://example.com/news',
    selector: '.article-item',
    getContent: () => { /* 可选自定义提取逻辑 */ }
  }
};

故障排除

启动报错:OPENCLAW_MJS 未设置

export OPENCLAW_MJS="/path/to/openclaw.mjs"

启动报错:TELEGRAM_USER_ID 未设置

export TELEGRAM_USER_ID="你的Telegram Chat ID"

页面加载超时

node {baseDir}/scripts/watch-news.js --interval 180

显示浏览器窗口(调试)

PLAYWRIGHT_HEADLESS=false node {baseDir}/scripts/watch-news.js

Chrome 路径未找到

export CHROME_PATH="/usr/bin/google-chrome"   # Linux
export CHROME_PATH="/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"  # macOS

开源透明

  • 完整源码:https://github.com/vvxer/openclaw-news-watcher
  • 运行截图示例见 GitHub,可验证实际运行效果
  • 所有操作通过本地 OpenClaw 完成,不依赖任何第三方 API
  • 代码逻辑完全可审查,无隐藏行为

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…