← Back to Skills Marketplace
514
Downloads
0
Stars
6
Active Installs
1
Versions
Install in OpenClaw
/install news-monitor
Description
Real-time news aggregator with Discord & Telegram push. Manage Jin10, BlockBeats, RSS, X KOLs, Polymarket, OpenNews via REST API.
Usage Guidance
This skill appears to be what it claims (a node-based news aggregator) but it asks you to fetch and run code from an external GitHub repo and to host an HTTP admin API that can be left unauthenticated. Before installing: (1) review the upstream repository source code yourself (or request the code be bundled into the skill) to check for concealed network exfiltration or privileged operations; (2) run it inside an isolated environment (container or VM) with limited network and file access; (3) set a strong dashboard.password and avoid leaving it blank; (4) do not supply production credentials (Discord webhooks, Telegram bot tokens, API keys) until you trust the code; (5) if you must run on a host, bind the service to localhost only and firewall the port; (6) prefer a skill that includes audited code in the bundle or is published from a known/verified source. If you want, I can list exact files or code locations to inspect next (e.g., startup scripts, config handling, outgoing request logic).
Capability Analysis
Type: OpenClaw Skill
Name: news-monitor
Version: 1.0.0
This skill is classified as suspicious due to its reliance on external, potentially mutable, resources and the broad permissions it requires. The `SKILL.md` instructs the agent to `git clone` a repository from GitHub (`https://github.com/zxcnny930/buzz.git`) and then run `npm install`, which can execute arbitrary code from external npm packages. The `package.json` explicitly requests the `exec` tool, granting the agent the ability to run arbitrary shell commands. Furthermore, the skill is designed to handle and transmit sensitive API keys/tokens (e.g., Discord, Telegram, 6551.io, Grok/OpenAI) and allows configurable external API endpoints, increasing the attack surface for potential data exfiltration if the external repository, npm packages, or the local service itself were compromised.
Capability Assessment
Purpose & Capability
Name/description (news aggregator with Discord/Telegram push) align with the runtime instructions (clone repo, npm install, run server, configure sources and webhooks). Required binaries (node, npm) are appropriate for the stated purpose.
Instruction Scope
SKILL.md tells the user/agent to git clone https://github.com/zxcnny930/buzz.git, run npm install and npm start, then manage the running service via local HTTP endpoints. The API allows hot updates to config (including API keys, webhooks, bot tokens) and examples omit the password parameter; the doc explicitly says a blank password => no authentication. Running this service therefore grants an external repo code execution on your system and exposes an admin API that can be unauthenticated — both are scope/risk concerns relative to a typical 'skill' install.
Install Mechanism
There is no install spec in the registry bundle; instead SKILL.md instructs cloning and running a third‑party GitHub repository and running npm install (arbitrary remote code). While GitHub is a common host, fetching and executing upstream code at runtime is higher risk than an instruction-only skill that contains no external downloads.
Credentials
The skill declares no required env vars, which is reasonable, but the API and docs show it will store and use many sensitive values (discord webhookUrl, telegram botToken/chatId, grok/apiKey, etc.) in config.json. The package.json metadata references agent tools like exec/read, indicating the skill expects shell execution abilities. Requiring secrets at runtime (in config) is proportionate to the service, but the registry does not explicitly require or limit these credentials — review before providing them.
Persistence & Privilege
The instructions run a long‑running local server (default port 3848) that accepts configuration changes via HTTP. Although always:false (not force-installed), the service persists while running and can be left reachable. Because the server can operate without a password if misconfigured, it may be remotely or locally manipulated. This persistent network presence increases attack surface.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install news-monitor - After installation, invoke the skill by name or use
/news-monitor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Buzz v1.0.0: Initial release – real-time news aggregator with REST API and Discord/Telegram push.
- Aggregates news from Jin10, BlockBeats, RSS, X KOLs, Polymarket, and OpenNews.
- REST API for all configuration, supporting hot-reload with no restarts.
- Discord and Telegram push notifications supported.
- Includes endpoints for config, status, KOL management, health check, and real-time SSE news stream.
- Supports password-protected endpoints (optional) and redacts sensitive fields from responses.
- Detailed examples and schema provided in documentation.
Metadata
Frequently Asked Questions
What is News Monitor?
Real-time news aggregator with Discord & Telegram push. Manage Jin10, BlockBeats, RSS, X KOLs, Polymarket, OpenNews via REST API. It is an AI Agent Skill for Claude Code / OpenClaw, with 514 downloads so far.
How do I install News Monitor?
Run "/install news-monitor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is News Monitor free?
Yes, News Monitor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does News Monitor support?
News Monitor is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created News Monitor?
It is built and maintained by zxcnny930 (@zxcnny930); the current version is v1.0.0.
More Skills