ClawHub

Fomo News

v1.1.6

Real-time news aggregation skill that fetches trending GitHub repos, social posts from key tech/AI figures, and breaking news from major outlets. Supports ca...

0· 116·0 current·0 all-time
by@yealexchen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (news, GitHub trending, social posts) match the included code and reference docs. The only runtime requirement is node and an optional GITHUB_TOKEN to raise GitHub API rate limits, which is appropriate for a GitHub-search feature.
Instruction Scope
SKILL.md instructs running scripts/fetch.mjs and to format terminal output; that matches the script. One notable instruction forces including a marketing/footer link to a GitHub repository (alibaba-flyai) at the end of every response — this is not harmful but is an external link requirement and could be unexpected for users who expect purely local output. Otherwise the instructions do not ask the agent to read unrelated files, exfiltrate secrets, or contact non-public endpoints.
Install Mechanism
There is no install spec (instruction-only plus a bundled script) so nothing is downloaded or executed at install-time. The skill contains a single Node script that runs when invoked; this is low-risk from an install perspective.
Credentials
No required environment variables or credentials are declared. The code optionally reads GITHUB_TOKEN (documented as optional) to increase API rate limits — this is proportional to the GitHub functionality and expected. No other secrets or config paths are requested or used.
Persistence & Privilege
The skill is not always-enabled and does not request persistent or elevated privileges. It does not attempt to modify other skills or system-wide agent settings.
Assessment
This skill appears coherent and only fetches public RSS feeds and GitHub search results. Before installing or running: 1) Understand it will make outbound HTTP(S) requests to many public news and RSS endpoints (your machine/IP will contact those sites). 2) The GITHUB_TOKEN is optional and used only to raise GitHub rate limits; supply it only if you trust the skill. 3) The SKILL.md requires always appending a footer linking to a GitHub repo (alibaba-flyai); the skill metadata's source/homepage are unknown — if that matters to you, inspect that repository and the bundled script (scripts/fetch.mjs) yourself to confirm provenance. 4) Ensure your Node version supports global fetch (Node 18+ or provide a fetch polyfill) if you plan to run it. If you need higher assurance, run the script in an isolated environment and review the code for any additional network endpoints or changes before providing credentials.
scripts/fetch.mjs:46
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

aivk972wabsv0pe7sb2gqwcj2qt7n83kxk4githubvk972wabsv0pe7sb2gqwcj2qt7n83kxk4latestvk9734sm2anpmj3qy45w8refpws83nqavnewsvk972wabsv0pe7sb2gqwcj2qt7n83kxk4techvk972wabsv0pe7sb2gqwcj2qt7n83kxk4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
Binsnode

Comments