← Back to Skills Marketplace
678
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install signal-pipeline
Description
Marketing intelligence pipeline - gather signals from RSS, X/Twitter, Telegram, and Gmail newsletters. Generate daily posts, weekly summaries, and monthly de...
Usage Guidance
Before installing or running: 1) Expect to configure and authorize a 'gog' CLI for Gmail — the skill does not declare that requirement; avoid giving Gmail access if you don't trust the code. 2) Inspect and change hardcoded paths (e.g., /Users/jarvis/.openclaw/workspace/memory/daily_signals/) — those will write into a specific user's home / agent workspace and may persist or be uploaded by the platform. Use a safe, explicit data directory you control. 3) Run the code in a sandboxed environment (isolated VM or container) because it performs web requests (t.me, fxtwitter, sogou) and writes local databases. 4) Consider replacing subprocess.run(..., shell=True) with a safer invocation or verify queries are static (newsletter_monitor uses static queries in code). 5) If you will grant Gmail access, review newsletter_monitor.py carefully to confirm only expected data (subject/sender/date) is extracted and that nothing is exfiltrated to external endpoints. 6) If you want to proceed, update SKILL metadata to declare required binaries (gog) and document Gmail credential needs; remove or parameterize absolute file paths so the skill is not implicitly writing into agent memory.
Capability Analysis
Type: OpenClaw Skill
Name: signal-pipeline
Version: 1.1.0
The skill is classified as suspicious primarily due to a shell injection vulnerability in `newsletter_monitor.py`. This file uses `subprocess.run(shell=True)` with an f-string to construct a command for the `gog` CLI, which could allow arbitrary command execution if the `query` parameter were to be influenced by untrusted input. Although the current `NEWSLETTERS` list contains hardcoded queries, the use of `shell=True` with string interpolation is a significant security flaw. Additionally, `daily_signals.py` contains hardcoded paths like `/Users/jarvis/.openclaw/workspace/memory/daily_signals/` for saving and loading data, which is a vulnerability that could lead to errors or unintended file operations on different systems or user configurations.
Capability Assessment
Purpose & Capability
The code implements RSS, X (FxTwitter), Telegram scraping, and Gmail newsletter extraction — consistent with the description. However the SKILL metadata declares no required binaries or credentials while the runtime relies on an external 'gog' CLI (Gmail access) and network access to third-party services (t.me, fxtwitter, sogou). The absence of those declared requirements is an inconsistency.
Instruction Scope
Runtime instructions and code reference reading Gmail via the gog CLI, scraping external websites, and writing/reading local files. More importantly, daily_signals.py writes and reads JSON from a hardcoded absolute path (/Users/jarvis/.openclaw/workspace/memory/daily_signals/), which is a user-specific and agent-workspace-like location. That path assumption and absolute writes are out-of-scope for a portable skill and could cause privacy/persistence issues.
Install Mechanism
There is no install spec (instruction-only with bundled Python code). No network install of arbitrary archives or remote execute at install time was specified. You must pip-install requirements manually; that's expected for a Python project. Risk from install mechanism is low, but running the code will make network requests and write files.
Credentials
The skill requests no env vars/credentials in metadata, yet newsletter_monitor.py requires a configured 'gog' CLI with Gmail access (which implies OAuth credentials or local tokens). The code also writes into a likely agent memory path under a specific user's home, which gives it implicit access to agent/user workspace. Those required secrets and file access are not declared and are disproportionate to what's advertised.
Persistence & Privilege
The skill is not always-enabled and doesn't modify other skills, but it writes persistent state to local SQLite DBs and to a hardcoded agent-memory-like directory (/Users/jarvis/.openclaw/workspace/memory/...). Writing into an OpenClaw-style workspace/memory directory could cause data to be retained by the agent platform; combined with autonomous invocation (default) this increases persistence and blast radius relative to a self-contained script.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install signal-pipeline - After installation, invoke the skill by name or use
/signal-pipeline - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Added EvoMap-style signal capsules with GDI quality scoring
v1.0.2
Removed personal info from docs
v1.0.1
Added X/Twitter and Gmail newsletter modules
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Signal Pipeline?
Marketing intelligence pipeline - gather signals from RSS, X/Twitter, Telegram, and Gmail newsletters. Generate daily posts, weekly summaries, and monthly de... It is an AI Agent Skill for Claude Code / OpenClaw, with 678 downloads so far.
How do I install Signal Pipeline?
Run "/install signal-pipeline" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Signal Pipeline free?
Yes, Signal Pipeline is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Signal Pipeline support?
Signal Pipeline is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Signal Pipeline?
It is built and maintained by KF (@mephistophelesbits); the current version is v1.1.0.
More Skills