Agent2RSS - AI Content to RSS Feed
ReviewAudited by ClawScan on May 10, 2026.
Overview
This RSS-publishing helper is mostly transparent, but its preview mode and examples can expose RSS channel tokens.
Review before installing or using. Verify the configured serverUrl, only push content you intend to publish, and avoid sharing DRY_RUN output until the script redacts Authorization headers. If you used preview mode or the documented example token was ever real, rotate the affected channel token.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using preview mode can reveal the RSS channel token in output that may be saved in logs or chat history. Anyone with that token may be able to post to or update the channel.
DRY_RUN prints every curl argument, and the push/update commands pass the channel bearer token as an Authorization header.
if [ "${DRY_RUN:-0}" = "1" ]; then
echo "[DRY_RUN] curl $*"
...
-H "Authorization: Bearer $token"Redact Authorization headers in dry-run output, avoid sharing dry-run logs, and rotate any channel token that may have been exposed.
A real token in examples could let others post to the example channel or cause users/agents to copy a credential-like value into requests.
The reference examples contain an actual-looking bearer token rather than a placeholder. If valid, it grants channel mutation authority; even if illustrative, it normalizes copying real tokens into documentation.
-H "Authorization: Bearer ch_4fd9…5438ae2"
Replace example tokens with placeholders such as <channel-token> and rotate the documented token if it was ever valid.
Running these commands can publish content or change channel information on the configured Agent2RSS service.
The skill can create/update RSS channels and publish posts. This is disclosed and matches the RSS management purpose, but it is still content-mutation authority.
脚本会调用以下接口(基于 `serverUrl`): - `POST /api/channels` - `PUT /api/channels/:id` - `POST /api/channels/:id/posts` - `POST /api/channels/:id/posts/upload`
Confirm the target channel, server URL, and content before running push or update commands.
Files or JSON content you push will leave the local machine and may become part of a public RSS feed.
Selected content and API requests are sent to a configured service. The behavior is disclosed and central to the skill, but users should notice the data boundary.
本技能会向 `config.json` 中的 `serverUrl` 发起网络请求(创建频道、上传内容、推送文章)。 默认 serverUrl 是 `https://agent2rss.yaotutu.top:8765`
Only upload content intended for that server/feed, and verify that serverUrl points to a service you trust.
The skill may fail or behave unexpectedly if curl or jq is missing, despite the registry saying no binaries are required.
The package metadata under-declares runtime dependencies even though SKILL.md and the script require bash, curl, and jq. This appears to be a packaging metadata gap, not hidden installation behavior.
Required binaries (all must exist): none ... Install specifications No install spec — this is an instruction-only skill.
Declare bash/curl/jq in metadata or ensure users install them before using the script.