← Back to Skills Marketplace
newspaper-download-skill
by
1787812757
· GitHub ↗
· v1.0.0
· MIT-0
75
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install newspaper-download-skill
Description
报刊 PDF 下载工具。通过 CLI 命令查询已收录的报刊更新、定位指定期次、获取 PDF 下载链接。查询不鉴权,下载需要 Import Token。Newspaper/magazine PDF download tool. Use CLI commands to query collected issues,...
Usage Guidance
This skill is plausible for getting PDF download links, but exercise caution before installing or using it: 1) The script deliberately bypasses system proxies and disables TLS certificate checks — that can circumvent corporate/network controls and make connections vulnerable to interception. If you run this inside a managed environment, this alone is a strong reason to avoid it. 2) The tool reads an import token from config.json (or IMPORT_TOKEN env) and returns download URLs that include that token — anyone with those URLs can use your token; treat it like a secret. 3) SKILL.md insists you only run the packaged CLI; review the full get_data.py to confirm it never writes files, exfiltrates other secrets, or performs unexpected actions when run without --no-save. 4) Prefer skills with a known source/homepage and audited TLS behavior; if you need this functionality, consider implementing a small trusted client that honors system proxy settings and validates certificates, or run this script in an isolated environment after a careful code review.
Capability Analysis
Type: OpenClaw Skill
Name: newspaper-download-skill
Version: 1.0.0
The skill bundle contains a Python script (scripts/get_data.py) that intentionally disables SSL certificate verification (ssl.CERT_NONE) and bypasses system proxies to communicate with pick-read.vip. While these behaviors are documented as workarounds for connectivity issues in AI sandboxes, they constitute a significant security vulnerability by exposing the user's 'import_token' to potential Man-in-the-Middle (MITM) attacks. Per the instructions, this high-risk vulnerability is classified as suspicious rather than malicious as it appears to be a functional choice rather than an intentional exploit.
Capability Assessment
Purpose & Capability
Name, description, required binary (python3), config.json and the script all align with a CLI tool that queries an OCR/download API (pick-read.vip). Accepting an import token and an API base is expected.
Instruction Scope
SKILL.md mandates using the packaged CLI (not curl/requests) and always using --no-save, and the code indeed performs network requests to the API. However the instructions forbid direct API calls while the code itself bypasses system proxies and can disable TLS checks; this expands the runtime's network behavior beyond what a user might expect and reduces transparency.
Install Mechanism
No install spec (instruction-only with included script). That keeps risk lower than arbitrary remote installs. The repository contains a local Python script only; nothing is fetched/installed at install time.
Credentials
No required env vars are declared; the script optionally respects OCR_API_BASE and IMPORT_TOKEN which is reasonable. However the skill stores/reads an import token in config.json and returns URLs containing the token — users should recognize that sharing those URLs leaks the token. The number of credentials requested is minimal.
Persistence & Privilege
always:false and no special install-time persistence. But the SKILL.md's strict 'do not save' rule contrasts with code that defines DEFAULT_OUTPUT_DIR and may be able to write files if invoked without --no-save. More critically, the code bypasses system proxies (ProxyHandler({})) and uses SSL contexts that disable certificate verification — giving the script the ability to make direct, unverified outbound network connections that can circumvent platform or network policies.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install newspaper-download-skill - After installation, invoke the skill by name or use
/newspaper-download-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
报刊 PDF 下载工具:通过 CLI 命令可查询主流国际报刊(如 The New York Times、The Wall Street Journal、The Economist、The Guardian 等)的最新更新情况,定位指定期次,并获取 PDF 下载链接。查询功能无需鉴权,下载需配置 Import Token。
Newspaper & magazine PDF download tool: Use CLI commands to check update status of leading publications (such as The New York Times, The Wall Street Journal, The Economist, The Guardian), locate specific issues, and retrieve PDF download links. No authentication is required for queries; downloading requires an Import Token.
Metadata
Frequently Asked Questions
What is newspaper-download-skill?
报刊 PDF 下载工具。通过 CLI 命令查询已收录的报刊更新、定位指定期次、获取 PDF 下载链接。查询不鉴权,下载需要 Import Token。Newspaper/magazine PDF download tool. Use CLI commands to query collected issues,... It is an AI Agent Skill for Claude Code / OpenClaw, with 75 downloads so far.
How do I install newspaper-download-skill?
Run "/install newspaper-download-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is newspaper-download-skill free?
Yes, newspaper-download-skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does newspaper-download-skill support?
newspaper-download-skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created newspaper-download-skill?
It is built and maintained by 1787812757 (@1787812757); the current version is v1.0.0.
More Skills