← Back to Skills Marketplace
pyh-pan

Multi Source Tech News Digest

by Haloha · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
487
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install multi-source-news-digest
Description
Aggregates and scores technology news daily from 100+ RSS feeds, GitHub releases, and web sources, providing customizable, filtered tech news digests.
Usage Guidance
This skill mostly does what its name promises (aggregate tech news) but has several red flags you should consider before installing: - The code uses subprocess.run with dynamically constructed Python -c strings that embed config values (RSS URLs and repo strings). If those config values are modified by an attacker or come from untrusted input, they could lead to arbitrary code execution. Ask the author to remove subprocess -c usage and call requests/feedparser directly in-process. - Some advertised sources (Twitter/X, web scraping) are mentioned in descriptions/config but are not actually implemented — verify the feature set if you need those sources. - The GitHub endpoints in config appear incorrect/unexpected; confirm how GitHub data is fetched and whether authentication is required for your use case. - test_skill.py contains a hardcoded absolute path (/home/pan/...) — likely a leftover from development. That is not a direct runtime threat but indicates the repo wasn't fully cleaned. - Because the skill makes outbound HTTP requests, run it in a sandboxed environment or restricted network if you want to limit data exfiltration risk, and review/replace the subprocess calls before granting production use. If you decide to proceed: require the maintainer to (1) replace subprocess -c calls with in-process library calls that properly validate/escape inputs, (2) fix/clarify GitHub source usage, (3) remove development hardcoded paths, and (4) document exactly which external endpoints will be contacted and whether credentials are ever required.
Capability Analysis
Type: OpenClaw Skill Name: multi-source-news-digest Version: 1.0.0 The `skill.py` file contains a critical code injection vulnerability. It uses `subprocess.run` to execute Python code, directly embedding user-configurable URLs (`rss_sources` and `github_repos` from `config.json`) into f-strings. As `SKILL.md` explicitly states that `config.json` is user-editable, an attacker could modify these URLs to inject arbitrary Python code, leading to Remote Code Execution (RCE) on the agent. While the provided `config.json` contains benign URLs, the underlying implementation flaw makes the skill highly risky.
Capability Assessment
Purpose & Capability
The name/description claim aggregation from RSS, GitHub releases, and web sources (and mention Twitter/X). The code implements RSS fetching and GitHub release fetching, but GitHub endpoints in config are incorrect/unusual ('https://api.github.com/repos/trending'), and there is no real Twitter/X ingestion or web scraping implementation beyond listing a few web URLs in config. The inclusion of package.json/requirements is reasonable for an aggregator, but some declared sources and descriptions (Twitter/X, web scraping) are not implemented, which is an incoherence.
Instruction Scope
Runtime code uses subprocess.run to execute dynamically constructed Python -c one-liners that embed config values (source_url and repo) directly into the command string. That pattern can lead to command/Python code injection if config values are attacker-controlled or maliciously modified. The SKILL.md usage instructions are straightforward (python skill.py digest/list/refresh) and do not request secrets, but the implementation detail of spawning an interpreter for each fetch is unnecessary and risky compared to using the imported libraries directly. test_skill.py also hardcodes an absolute path (/home/pan/...) which is a leftover artifact and may leak local paths.
Install Mechanism
There is no install spec (instruction-only install), which minimizes install-time risk. The repository includes requirements.txt and package.json (declaring common libraries requests, feedparser, beautifulsoup4) — expected for this kind of skill. No remote downloads or extract operations are present.
Credentials
The skill does not request environment variables, credentials, or special config paths. The default config lists external endpoints (RSS/GitHub/Google News/Techmeme) but there are no access tokens or secrets requested, which is proportionate for a public-news aggregator.
Persistence & Privilege
The skill does not set always: true and is user-invocable only (default). The included trigger_config.json sets an auto-start cron schedule and notification channels, but that appears to be a platform trigger config, not an internal mechanism that modifies other skills or system-wide settings. Autonomous invocation by the agent is allowed by default (platform standard).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install multi-source-news-digest
  3. After installation, invoke the skill by name or use /multi-source-news-digest
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Multi Source Tech News Digest. - Aggregates technology news from 109+ sources, including RSS feeds, GitHub releases, and web pages. - Automatically scores and filters news based on tech relevance and source credibility. - Provides configurable source lists, scoring thresholds, and daily formatted news digests. - Includes commands to generate digests, list news, and refresh data. - Customizable via config.json for sources and filtering preferences.
Metadata
Slug multi-source-news-digest
Version 1.0.0
License
All-time Installs 1
Active Installs 1
Total Versions 1
Frequently Asked Questions

What is Multi Source Tech News Digest?

Aggregates and scores technology news daily from 100+ RSS feeds, GitHub releases, and web sources, providing customizable, filtered tech news digests. It is an AI Agent Skill for Claude Code / OpenClaw, with 487 downloads so far.

How do I install Multi Source Tech News Digest?

Run "/install multi-source-news-digest" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Multi Source Tech News Digest free?

Yes, Multi Source Tech News Digest is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Multi Source Tech News Digest support?

Multi Source Tech News Digest is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Multi Source Tech News Digest?

It is built and maintained by Haloha (@pyh-pan); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments