← Back to Skills Marketplace
77
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install news-sum-lite
Description
轻量新闻日报 skill。触发条件:用户说"今日新闻"、"新闻日报"、"生成今日新闻"。主打快速、轻量、一气呵成。
Usage Guidance
Before installing or enabling this skill, ask the author to clarify and fix these issues: (1) Declare required binaries and tools (e.g., npx/node, the 'gog' gmail CLI) or provide an install spec; (2) Declare any environment variables or credentials needed for sending email (OAuth tokens, API keys) and explain how credentials are obtained/stored; (3) Fix placeholder inconsistencies ({todays-brief.md} vs brief-yyyymmdd.md and {aim-email}) and explain how the recipient is determined (prompt user each run vs configured env var); (4) Confirm the skill is allowed to write to archive/news/brief/ and document what it writes; (5) If you don't want the skill to run shell commands on the host, request a version that uses only platform-provided tooling or a documented API. Because the current instructions assume undeclared tooling and credentials, proceed cautiously — do not grant it access to sensitive email credentials or broad filesystem write permissions until these questions are resolved.
Capability Analysis
Type: OpenClaw Skill
Name: news-sum-lite
Version: 1.0.0
The skill automates news aggregation and delivery via email but contains a shell injection vulnerability in SKILL.md. Step 5 executes a bash command that incorporates the variable '$HTML' and placeholders like '{todays-brief.md}' without proper sanitization or quoting, which could allow for arbitrary command execution if the news content or filenames are manipulated. While the intent appears benign and aligned with the stated purpose, the insecure handling of shell execution poses a security risk.
Capability Assessment
Purpose & Capability
The described purpose (generate and send a daily news brief) matches the actions in SKILL.md (search, summarize, save, email). However the instructions depend on external search tools (web_search, tavily_search) and command-line tools (npx marked, gog gmail send) that are not declared in the metadata. That mismatch (instructions requiring binaries/credentials that the registry metadata does not list) is disproportionate to the stated lightweight intent.
Instruction Scope
SKILL.md directs the agent to perform web searches, write a markdown file to archive/news/brief/brief-yyyymmdd.md, and run shell commands to convert Markdown to HTML and send mail. It requires selecting sources 1:1 domestic/international and forbids hallucination. The instructions contain inconsistent placeholders ({todays-brief.md} vs brief-yyyymmdd.md and {aim-email} without explanation), assume availability of search tools and a gmail CLI, and do not explain where email credentials or recipient addresses come from. These are scope and clarity issues that could cause unexpected behavior or require credentials not declared.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in itself. However the runtime commands imply dependencies on node/NPM (npx marked) and a third-party 'gog gmail send' CLI. Because no install steps or provenance for those tools are provided, the skill implicitly requires external binaries that the platform may not have — a deployment/operational concern but not an explicit install risk in the package itself.
Credentials
The registry shows no required environment variables or credentials, yet the instructions perform email sending (which typically requires OAuth tokens or API keys) and write to local archive paths. The skill fails to declare any email credentials, token locations, or config paths. Requesting the ability to send email and write files without declaring where credentials or recipient addresses come from is disproportionate and under-specified.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill writes files to archive/news/brief/… and invokes system commands — these are reasonable for its function, but users should be aware it will create files and run external commands when invoked. Because autonomous invocation is allowed by default, those actions could occur without repeated prompts if the agent is given broader permissions; this increases blast radius but is not, by itself, a disqualifying privilege.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install news-sum-lite - After installation, invoke the skill by name or use
/news-sum-lite - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
news-sum-lite v1.0.0
- Initial release of a lightweight news summary skill supporting commands like "今日新闻", "新闻日报", and "生成今日新闻".
- Generates daily news reports quickly in Chinese, focusing on international affairs, economy/finance, and tech/AI.
- Ensures balanced Chinese and international news sources, using both web_search and tavily_search.
- Summarizes each news item (approx. 300 characters) with title, date, source, and link, in a strict markdown template.
- Adds one proactively explored related topic per day.
- Formats, saves, and auto-emails the daily report as both markdown attachment and styled HTML body.
Metadata
Frequently Asked Questions
What is News Sum Lite?
轻量新闻日报 skill。触发条件:用户说"今日新闻"、"新闻日报"、"生成今日新闻"。主打快速、轻量、一气呵成。 It is an AI Agent Skill for Claude Code / OpenClaw, with 77 downloads so far.
How do I install News Sum Lite?
Run "/install news-sum-lite" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is News Sum Lite free?
Yes, News Sum Lite is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does News Sum Lite support?
News Sum Lite is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created News Sum Lite?
It is built and maintained by Leonard (@liliangjie91); the current version is v1.0.0.
More Skills