← Back to Skills Marketplace

News Sum

Name: News Sum
Author: liliangjie91

by Leonard · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install news-sum

Description

新闻汇总与邮件投递技能。当用户要求"生成今日新闻汇总"、"把新闻发给邮箱"时触发。支持：(1) 接收用户指定主题，搜索生成新闻汇总；(2) 按用户要求投递到指定邮箱。

Usage Guidance

Before installing or enabling this skill, verify these points: (1) Confirm how email sending will be authenticated: the SKILL.md uses 'gog gmail send' but the skill declares no required binary or any credentials — ask the author where 'gog' comes from and what credentials it needs. Do not provide broad Gmail/SMTP credentials until you trust the CLI and source. (2) Resolve the contradiction about temporary files: the skill says 'convert in memory, no temp files' but also attaches a file path; ensure attachments are created only in a controlled workspace path. (3) Command injection risk: the send command interpolates user-supplied EmailTarget and HTML into a shell command. Make sure placeholders are properly escaped or use an API/SDK instead of raw shell formatting. (4) Review privacy: the skill will fetch many web pages (English + Chinese results) and may include scraped content in outgoing emails; confirm you are comfortable with that data leaving your agent. (5) If you proceed, require the author to declare the exact binary dependency and the minimal credential scope (e.g., a dedicated, limited-scope SMTP account or OAuth token), or modify the skill to use the platform's audited mail API to avoid shell/credential issues.

Capability Analysis

Type: OpenClaw Skill Name: news-sum Version: 1.0.0 The news-sum skill implements a multi-agent workflow for news aggregation and email delivery. A significant security risk is identified in `SKILL.md`, where the email delivery function uses a shell command (`gog gmail send`) that wraps dynamic HTML content inside a subshell `$(printf '%s' ...)`. This pattern is highly susceptible to shell injection if the aggregated news content contains malicious sequences. While the logic appears aligned with its stated purpose, the unsafe handling of shell execution warrants a suspicious classification.

Capability Assessment

⚠ Purpose & Capability

The skill claims to collect news and optionally send it by email, which is reasonable. However, the SKILL.md instructs the agent to run the external CLI command 'gog gmail send' to deliver mail yet the skill declares no required binaries and no credentials. Sending mail normally requires an authenticated mail client or credentials; that capability is not declared. This is an incoherence between claimed purpose and requested/declared resources.

⚠ Instruction Scope

Instructions read and write workspace files and spawn subagents for reporters/editors (reasonable for an aggregator). Concerns: (1) contradictory guidance — 'convert markdown to HTML in memory, do not generate temporary files' vs. the send command that uses --attach pointing to a file path (implies a file must exist). (2) The email send uses a shell command with user-supplied placeholders (--to="{EmailTarget}" and --body-html="$(printf '%s' '{HTML内容}')"); if placeholders are not properly escaped, this creates command-injection risk. (3) It relies on platform tools 'web_search' and 'fetch__fetch' (expected) but these will perform broad web fetching — acceptable for the stated purpose but increases data fetched/transmitted.

✓ Install Mechanism

No install spec (instruction-only) — lowest install risk. Nothing is being downloaded or written by an installer in this skill bundle.

⚠ Credentials

The skill declares no required environment variables or credentials, yet runtime steps require authenticated email delivery (gog gmail send) and potentially access to web fetching services. The lack of declared credentials (e.g., Gmail OAuth token, SMTP creds, or a configured 'gog' CLI) is disproportionate to the email-delivery capability and is a notable omission.

✓ Persistence & Privilege

always:false and user-invocable:true (defaults) — no forced always-on privilege. The skill instructs spawning subagents (sessions_spawn), which is normal for complex multi-step agents; nothing in the bundle requests persistent system-wide changes or modifies other skills' configuration.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install news-sum
After installation, invoke the skill by name or use /news-sum
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

news-sum 1.0.0 - 初始发布，支持多主题新闻获取、汇总与结构化写作。 - 实现主编—编辑—记者三层并行分工，自动跟踪持续事件与报道热点。 - 支持新闻每日总结自动发送至指定邮箱，内置 Markdown 转 HTML 转换流程。 - 默认支持“国际局势”“经济金融”“科技AI”三大主题。 - 新闻汇总及近期热点支持文件归档与自动滚动更新。

Metadata

Slug news-sum

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is News Sum?

新闻汇总与邮件投递技能。当用户要求"生成今日新闻汇总"、"把新闻发给邮箱"时触发。支持：(1) 接收用户指定主题，搜索生成新闻汇总；(2) 按用户要求投递到指定邮箱。 It is an AI Agent Skill for Claude Code / OpenClaw, with 68 downloads so far.

How do I install News Sum?

Run "/install news-sum" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is News Sum free?

Yes, News Sum is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does News Sum support?

News Sum is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created News Sum?

It is built and maintained by Leonard (@liliangjie91); the current version is v1.0.0.

More Skills