ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

News Aggregator Skill 0.1.0

v1.0.0

Comprehensive news aggregator that fetches, filters, and deeply analyzes real-time content from 8 major sources: Hacker News, GitHub Trending, Product Hunt,...

0· 545·1 current·1 all-time
by@zy66677
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, README, SKILL.md and the included scripts/fetch_news.py consistently implement multi-source news fetching and deep content extraction for the eight listed sources. No unrelated credentials, binaries, or config paths are requested. Minor mismatch: README references a GitHub repo and install workflows, while registry source/homepage are unknown — provenance is unclear but capability requests are coherent with the stated purpose.
!
Instruction Scope
SKILL.md instructs the agent to read templates.md and to save reports into reports/ (expected for this skill). However, it contains many all-caps/mandatory directives ("MUST", "CRITICAL") telling the agent exactly how to behave (automatic keyword expansion, manual filtering of large result sets, strict formatting rules, language constraints). These high-authority instructions in SKILL.md could be used as prompt-injection vectors. Additionally, a pre-scan found unicode-control-chars inside SKILL.md (hidden characters can hide or alter instructions). No instructions ask for unrelated files or secrets, but the injection signal elevates risk in the instruction scope.
Install Mechanism
There is no install spec; this is instruction-plus-script. requirements.txt lists only requests and beautifulsoup4 — appropriate for a scraper. No downloads from untrusted URLs or archived extract steps in the install metadata. README suggests git cloning from a GitHub repo (SSH URL), but that is guidance rather than an automated installer in the package metadata.
Credentials
The skill requests no environment variables or secrets. Its network access to many public endpoints (Hacker News, GitHub Trending, Weibo, Tencent, 36Kr, V2EX, WallStreetCN, Product Hunt) is proportional to its purpose. The 'deep' mode fetches and extracts full article text (arbitrary URLs) — expected but note this performs broad outbound HTTP(s) requests and downloads page content.
Persistence & Privilege
No elevated privileges requested. always is false and autonomous model invocation is default. SKILL.md asks to write reports into a local reports/ directory (normal for a reporting skill). The skill does not request or appear to modify other skills or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: Scanner found unicode control characters embedded in SKILL.md. Hidden characters are not needed for a news-aggregator and can be used for prompt-injection or to hide/alter instructions. This is worth manual inspection and removal before trusting the skill.
What to consider before installing
This skill appears to implement what it claims (multi-source scraping and deep article extraction) and asks for no credentials, but exercise caution before installing: 1) Inspect SKILL.md and templates.md for hidden/unexpected characters (the pre-scan flagged unicode control characters). Remove or sanitize any invisible/control characters. 2) Verify provenance — README points at a GitHub repo; confirm the repo and publisher identity before cloning or running. 3) Run the Python script in a sandboxed environment (network-restricted or with egress monitoring) first — the 'deep' option fetches arbitrary URLs and can download page content. 4) Review the full fetch_news.py (the bundled file appears truncated in the package preview); ensure there are no hidden endpoints or exfiltration logic. 5) Limit concurrency/limits when doing a Global Scan to avoid large-scale requests. 6) If you plan to persist reports, check that the reports/ directory content and filenames are acceptable and that no unexpected data (e.g., credentials) would be written there. If you can, ask the publisher to provide a canonical homepage or signed source so provenance is clear. If the SKILL.md is cleaned of control characters and the rest of the code is intact/transparent, the skill could be treated as coherent and low-risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dbapw87yxh7a0ymxgdq56ax81hb9d
545downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
@zy66677
latest
Download

News Aggregator Skill

Fetch real-time hot news from multiple sources.

Tools

fetch_news.py

Usage:

### Single Source (Limit 10)
```bash
### Global Scan (Option 12) - **Broad Fetch Strategy**
> **NOTE**: This strategy is specifically for the "Global Scan" scenario where we want to catch all trends.

```bash
#  1. Fetch broadly (Massive pool for Semantic Filtering)
python3 scripts/fetch_news.py --source all --limit 15 --deep

# 2. SEMANTIC FILTERING:
# Agent manually filters the broad list (approx 120 items) for user's topics.

Single Source & Combinations (Smart Keyword Expansion)

CRITICAL: You MUST automatically expand the user's simple keywords to cover the entire domain field.

  • User: "AI" -> Agent uses: --keyword "AI,LLM,GPT,Claude,Generative,Machine Learning,RAG,Agent"
  • User: "Android" -> Agent uses: --keyword "Android,Kotlin,Google,Mobile,App"
  • User: "Finance" -> Agent uses: --keyword "Finance,Stock,Market,Economy,Crypto,Gold"
# Example: User asked for "AI news from HN" (Note the expanded keywords)
python3 scripts/fetch_news.py --source hackernews --limit 20 --keyword "AI,LLM,GPT,DeepSeek,Agent" --deep

Specific Keyword Search

Only use --keyword for very specific, unique terms (e.g., "DeepSeek", "OpenAI").

python3 scripts/fetch_news.py --source all --limit 10 --keyword "DeepSeek" --deep

Arguments:

  • --source: One of hackernews, weibo, github, 36kr, producthunt, v2ex, tencent, wallstreetcn, all.
  • --limit: Max items per source (default 10).
  • --keyword: Comma-separated filters (e.g. "AI,GPT").
  • --deep: [NEW] Enable deep fetching. Downloads and extracts the main text content of the articles.

Output: JSON array. If --deep is used, items will contain a content field associated with the article text.

Interactive Menu

When the user says "news-aggregator-skill 如意如意" (or similar "menu/help" triggers):

  1. READ the content of templates.md in the skill directory.
  2. DISPLAY the list of available commands to the user exactly as they appear in the file.
  3. GUIDE the user to select a number or copy the command to execute.

Smart Time Filtering & Reporting (CRITICAL)

If the user requests a specific time window (e.g., "past X hours") and the results are sparse (< 5 items):

  1. Prioritize User Window: First, list all items that strictly fall within the user's requested time (Time < X).
  2. Smart Fill: If the list is short, you MUST include high-value/high-heat items from a wider range (e.g. past 24h) to ensure the report provides at least 5 meaningful insights.
  3. Annotation: Clearly mark these older items (e.g., "⚠️ 18h ago", "🔥 24h Hot") so the user knows they are supplementary.
  4. High Value: Always prioritize "SOTA", "Major Release", or "High Heat" items even if they slightly exceed the time window.
  5. GitHub Trending Exception: For purely list-based sources like GitHub Trending, strictly return the valid items from the fetched list (e.g. Top 10). List ALL fetched items. Do NOT perform "Smart Fill".
    • Deep Analysis (Required): For EACH item, you MUST leverage your AI capabilities to analyze:
      • Core Value (核心价值): What specific problem does it solve? Why is it trending?
      • Inspiration (启发思考): What technical or product insights can be drawn?
      • Scenarios (场景标签): 3-5 keywords (e.g. #RAG #LocalFirst #Rust).

6. Response Guidelines (CRITICAL)

Format & Style:

  • Language: Simplified Chinese (简体中文).
  • Style: Magazine/Newsletter style (e.g., "The Economist" or "Morning Brew" vibe). Professional, concise, yet engaging.
  • Structure:
    • Global Headlines: Top 3-5 most critical stories across all domains.
    • Tech & AI: Specific section for AI, LLM, and Tech items.
    • Finance / Social: Other strong categories if relevant.
  • Item Format:
    • Title: MUST be a Markdown Link to the original URL.
      • ✅ Correct: ### 1. [OpenAI Releases GPT-5](https://...)
      • ❌ Incorrect: ### 1. OpenAI Releases GPT-5
    • Metadata Line: Must include Source, Time/Date, and Heat/Score.
    • 1-Liner Summary: A punchy, "so what?" summary.
    • Deep Interpretation (Bulleted): 2-3 bullet points explaining why this matters, technical details, or context. (Required for "Deep Scan").

Output Artifact:

  • Always save the full report to reports/ directory with a timestamped filename (e.g., reports/hn_news_YYYYMMDD_HHMM.md).
  • Present the full report content to the user in the chat.

Comments

Loading comments...