← Back to Skills Marketplace
Media News Digest
by
Linfeng Liang
· GitHub ↗
· v2.1.1
960
Downloads
2
Stars
1
Active Installs
16
Versions
Install in OpenClaw
/install media-news-digest
Description
Generate media & entertainment industry news digests. Covers Hollywood trades (THR, Deadline, Variety), box office, streaming, awards season, film festivals,...
Usage Guidance
This skill appears coherent and intended for the stated purpose, but review these before installing: (1) When you provide API keys (Twitter/Brave/Tavily), use least-privilege / dedicated keys and store them in your environment or workspace config, not in the repo. (2) Inspect send-email.py / your mail delivery configuration: decide whether you'll use msmtp/system mail or an external CLI (the templates reference 'gog gmail send' but that tool isn't declared). Make sure your mail client is configured securely. (3) The skill reads <WORKSPACE>/archive/... and <WORKSPACE>/config/... — confirm you are comfortable the agent will access those workspace paths. (4) If you plan to allow automated, scheduled delivery, audit who receives those digests and any channel IDs configured. (5) If you want extra assurance, run the pipeline locally first (pip install -r requirements.txt) and review the send-email.py and any network-call code (fetch-* scripts) to confirm endpoints and retry/error handling. Overall the skill is internally consistent; these are operational checks rather than blockers.
Capability Analysis
Type: OpenClaw Skill
Name: media-news-digest
Version: 2.1.1
The skill bundle is classified as suspicious due to a shell injection vulnerability found in the `scripts/test-pipeline.sh` file. Specifically, the script uses unquoted shell variables (`$TOPICS`, `$IDS`) within `grep -qi` and `python3 -c` commands, which could allow arbitrary command execution if a user provides specially crafted input to the `--topics` or `--ids` arguments. While this is a test script and not part of the main agent execution flow, it represents a vulnerability that could be exploited. The rest of the skill demonstrates strong security awareness, including explicit prompt injection mitigations in `SKILL.md` and `references/digest-prompt.md`, and robust HTML sanitization in `scripts/sanitize-html.py`.
Capability Assessment
Purpose & Capability
Name/description (media news digest) matches the included scripts (fetch-rss, fetch-twitter, fetch-reddit, fetch-web, merge, summarize, generate-pdf, send-email). Declared binaries (python3) and optional email senders are appropriate for the task; required env vars (Twitter / Brave / Tavily keys) listed in SKILL.md are the credentials you would expect for the described data sources.
Instruction Scope
SKILL.md instructions are scoped to collecting sources from declared feeds/APIs, merging/deduplicating, generating a report, and delivering via Discord/email. It explicitly reads workspace config overrides and the skill archive to avoid duplicates — that is reasonable for a pipeline that must dedupe and resume. No instructions tell the agent to read unrelated system files, exfiltrate arbitrary data, or contact unexpected endpoints (all external APIs mentioned are search/Twitter providers or the user's mail delivery tool).
Install Mechanism
There is no platform-level install spec (install steps are not included), but the repo includes runnable Python scripts and a requirements.txt. This is low risk but means the operator must install Python dependencies themselves. Minor inconsistency: email templates reference a 'gog gmail send' CLI while the pipeline uses send-email.py / system mail (msmtp) — the repo documents multiple delivery options but does not declare the 'gog' tool in optionalBins.
Credentials
Environment variables declared (X_BEARER_TOKEN, TWITTERAPI_IO_KEY, BRAVE_API_KEY(S), TAVILY_API_KEY) map to the declared integration backends. No unrelated credentials (AWS, SSH keys, database passwords) are requested. Email delivery relies on system mail or optional tools; the repo states it does not write credentials to disk. This access is proportionate to the skill's functionality.
Persistence & Privilege
Skill is not marked always:true and does not request elevation or modification of other skills. It reads and writes within its workspace archive/config paths per its stated purpose (archiving reports, reading workspace overrides). Autonomous invocation (default) is allowed but is the platform norm and not by itself a red flag.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install media-news-digest - After installation, invoke the skill by name or use
/media-news-digest - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.1
Fix SKILL.md: 65 sources, all env vars, 14 scripts, quality score display, article enrichment, Tavily/Brave multi-key, PDF email
v2.1.0
Article enrichment, Tavily web search, multi-key Brave API, quality score display, PDF email, 65 sources
v1.8.1
Add second email recipient support
v1.8.0
Simplify prompt, CONTRIBUTING.md, EMAIL_FROM, email parity
v1.7.2
Email delivery: prefer mail/msmtp, fallback to gog
v1.7.1
Prompt injection sanitization in summarize-merged.py
v1.7.0
summarize-merged helper, zsh compat, archive path fix
v1.6.3
Republish
v1.6.2
Schema fix (reddit type), declare deps/credential access, update quick start
v1.6.1
KOL display names, code quality cleanup, unused import removal
v1.6.0
Unified parallel pipeline, Reddit SSL/parallel fix, Brave auto-concurrency
v1.5.1
v1.5.1: Security fix — HTML sanitizer for email output prevents XSS from untrusted RSS/Twitter/web content
v1.5.0
v1.5.0: URL dedup, Reddit scoring boost, web retry, topic coverage fix (upcoming 0→12), 44 sources (38 enabled), all tech-digest leftovers cleaned
v1.3.0
Add Upcoming Releases section for North American theater openings
v1.2.0
Add China section (first position), 6 Reddit sources, 3 China RSS feeds, 41 total sources
v1.1.0
Initial ClawHub release: 29 sources, 7 topic sections, Discord + email delivery, Chinese body with English source links
Metadata
Frequently Asked Questions
What is Media News Digest?
Generate media & entertainment industry news digests. Covers Hollywood trades (THR, Deadline, Variety), box office, streaming, awards season, film festivals,... It is an AI Agent Skill for Claude Code / OpenClaw, with 960 downloads so far.
How do I install Media News Digest?
Run "/install media-news-digest" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Media News Digest free?
Yes, Media News Digest is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Media News Digest support?
Media News Digest is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Media News Digest?
It is built and maintained by Linfeng Liang (@dinstein); the current version is v2.1.1.
More Skills