Financial Times Deep Reader
v1.0.0Automates login to FT.com to extract and provide detailed bilingual English-Chinese summaries of top Financial Times articles with academic rigor.
⭐ 0· 638·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose is to log into FT.com and extract articles — that legitimately requires credentials or session access. However, the registry lists no required environment variables, no primary credential, and no required config paths, while SKILL.md explicitly instructs use of a Browser profile named 'openclaw' and to enter email/password. This mismatch (claims of automated login vs. no declared credential/config requirements) is incoherent and raises risk about where credentials would come from and how they would be accessed.
Instruction Scope
SKILL.md instructs the agent to navigate to FT login pages, enter email/password, and run page-evaluation JavaScript to extract article text — these actions are consistent with the stated functionality. However, the instructions also demand use of a named browser profile ('openclaw') to maintain session persistence and include placeholder credentials in the file, without describing the source/secure storage of those credentials. That gives the skill broad discretion to access browser session data and credentials not declared to the registry, which is outside what a safe, self-contained instruction-only skill should assume. Also note potential legal/ToS concerns about automated scraping of paywalled content; the skill does not mention compliance.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. This minimizes filesystem risk because nothing is downloaded or written during install. The lack of an install step also explains why there are no declared dependencies, but it does not resolve the credential/access inconsistencies.
Credentials
The skill needs login credentials and persistent browser session access to function, yet the registry lists no required env vars, no primary credential, and no config paths. Requiring access to a browser profile (which can contain cookies, tokens, and other site credentials) is a high-privilege action; it should be explicitly declared and justified. The omission of any declared credential or config requirements is disproportionate and ambiguous.
Persistence & Privilege
The skill is not set to always:true and does not request persistent installation. Autonomous invocation is allowed (the platform default). Combined with the credential/session access the SKILL.md asks for, autonomous runs could access stored browser sessions or prompt for credentials without clear registry-level controls — this increases the blast radius but is not itself a configuration flag set by the skill.
What to consider before installing
This skill is suspicious because its runtime instructions require login credentials and use of a specific browser profile, but the registry metadata does not declare any credentials or configuration paths. Before installing or enabling it: 1) Ask the publisher for source code or a homepage and for a clear explanation of where credentials should be stored and how they are protected (prefer OAuth or token-based flows over plaintext credentials). 2) Do not enter your FT account email/password unless you fully trust the publisher; prefer using an account with no subscriptions or a throwaway account for testing. 3) Ask whether the skill will access your local browser profile or cookies; if so, decline unless you understand exactly what data will be read and why. 4) Confirm legal/ToS implications of scraping paywalled content. 5) If you must test, run it in a restricted environment (isolated profile or VM) and monitor network traffic. Providing a trusted source repo, explicit required env var names, or an OAuth-based integration would increase confidence and could change this assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk97emamdxy15rch8rjy49w9q4h8168z5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.