Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
trump_news
v1.0.0每日拉取特朗普相关新闻(来自官方与主流通讯社信息源),经 AI 翻译成中文、编辑后推送给用户
⭐ 0· 139·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the implementation: scripts fetch RSS feeds and the Federal Register and optionally Truth Social; the output is an English summary intended for the AI to translate/edit/push. The included code and config align with this purpose.
Instruction Scope
SKILL.md instructs the agent to run scripts that fetch network resources and to optionally call a send_telegram.py present in the environment. It also references TRUTHSOCIAL_* environment variables and use of truthbrush. Those env vars and the optional send_telegram integration are not declared in the skill's required-env metadata, meaning the runtime instructions access configuration outside the manifest. Calling an external send_telegram.py (not bundled here) could cause the skill to forward content to an external endpoint depending on that script's behavior — review that script before allowing automatic runs.
Install Mechanism
No install spec is provided (instruction-only skill with bundled Python scripts). This is low risk from an install mechanism perspective — nothing is downloaded at install time.
Credentials
The manifest lists no required environment variables, but the SKILL.md and scripts document optional TRUTHSOCIAL_USERNAME / TRUTHSOCIAL_PASSWORD / TRUTHSOCIAL_TOKEN (for truthbrush) and may rely on an external send_telegram.py which likely requires Telegram credentials. Those credentials are optional for functionality but are referenced without being declared in requires.env or primaryEnv. That mismatch reduces transparency and could surprise users who later configure tokens (especially TRUTHSOCIAL_TOKEN extracted from browser storage).
Persistence & Privilege
The skill is not marked always:true, does not request to modify other skills or system settings, and contains no installation hooks that persist or escalate privileges. Autonomous invocation is the platform default and present here, which is expected for a regularly-invoked news skill.
What to consider before installing
This skill is largely coherent with its stated purpose, but pay attention to optional credential and push integrations before enabling it:
- The skill can optionally fetch Truth Social posts via truthbrush if you install that library and set TRUTHSOCIAL_USERNAME/TRUTHSOCIAL_PASSWORD or TRUTHSOCIAL_TOKEN. Those env vars are not listed in the manifest; only provide them if you trust the environment and understand how you obtained the token (do not paste sensitive browser tokens into unknown places).
- SKILL.md suggests calling a separate send_telegram.py (not included). If you enable automatic pushes, inspect any send_telegram.py script on the same host (or other skills that provide it) to confirm where it sends messages and what credentials it uses. That external script, not this skill, controls outbound delivery.
- The scripts make network requests only to public RSS feeds and the Federal Register API (and truthbrush when configured). If you want a conservative setup, run the fetch script manually first to see its stdout, or run it in an isolated environment before enabling cron/automatic runs.
- If you require stricter guarantees, ask the skill author to declare optional env vars in the manifest (TRUTHSOCIAL_*) and to avoid recommending cross-skill send_telegram invocation without explicit configuration instructions.Like a lobster shell, security has layers — review code before you run it.
latestvk976af3vevmp3q4bfcvn3hwp79834hrt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.