ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Buzz

v1.1.1

Real-time news aggregator with Discord & Telegram push. Manage Jin10, BlockBeats, RSS, X KOLs, Polymarket, OpenNews via REST API.

0· 338·0 current·0 all-time
by@zxcnny930
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (news aggregator + Discord/Telegram push) align with required binaries (node, npm, git) and the SKILL.md instructions to git clone and run the project. Minor inconsistency: package.json's openclaw metadata lists agent tools ['exec','read'], which implies the skill expects the agent to be able to execute shell commands or read files; the registry metadata only declared required binaries. This is explainable (the SKILL.md instructs running git/npm locally) but worth noting.
Instruction Scope
SKILL.md instructs cloning https://github.com/zxcnny930/buzz, running npm install, copying/editing config.json, and starting the server. All instructions stay within the stated purpose. Notable security-relevant guidance: the server binds 0.0.0.0 by default, the REST API uses a dashboard.password passed as a query parameter (pw=) which can be leaked in logs/referrers, and if dashboard.password is empty the API is unauthenticated. These are application-level security issues but do not contradict the skill's stated functionality.
Install Mechanism
No install spec in the skill bundle; instructions tell the user to git clone the GitHub repo and run npm install. Downloading code from the project's GitHub repository is expected for this type of skill but still carries the normal risks of executing third-party code — SKILL.md does encourage reviewing source before running.
Credentials
The skill does not require any platform environment variables from the registry. The project stores API keys/bot tokens in config.json (user-provided) which is proportional to sending Discord/Telegram/webhook notifications and integrating external sources. No unrelated credentials are requested by the skill bundle.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent platform privileges. The skill's behavior (running a local server you start) is appropriate for its purpose and does not attempt to modify other skills or global agent settings.
Assessment
This skill is essentially instructions to run a third‑party Node.js app from GitHub. That is coherent with its description, but take standard precautions before running it: review the repository source code (the SKILL.md itself links to github.com/zxcnny930/buzz), do not commit config.json (it can contain API keys and bot tokens), set dashboard.password before exposing the dashboard, avoid passing the password in URLs on public machines (query strings can leak), run the service behind a reverse proxy/firewall or on an isolated VM/container, and restrict config.json file permissions. If you must supply an AI or translation API key, prefer scoped keys and monitor usage. If you want extra assurance, inspect the repo and run it in a sandbox before trusting it with real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ep8swegww6f5qvv2aakmfys8248af

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📰 Clawdis
OSmacOS · Linux · Windows
Binsnode, npm, git

Comments