← Back to Skills Marketplace

newsnow

Name: newsnow
Author: sorrycc

by chencheng (云谦) · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

1214

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install newsnow

Description

CLI tool to fetch trending news and hot topics from 66 sources across 44 platforms. Returns structured news items with titles, URLs, and metadata. USE FOR: -...

Usage Guidance

This skill's README expects you to install/run a Node package (npx newsnow) but the registry gives no package URL, homepage, or install spec and fails to declare the PRODUCTHUNT_API_TOKEN env var it mentions. Before installing or running this skill: 1) find the npm package name and publisher and verify the project homepage/source code and maintainer reputation; 2) avoid supplying secrets (API tokens) until you confirm the package's source and intent; 3) prefer running npx in an isolated environment (container or sandbox) and inspect the fetched package contents before execution; 4) if you can't find a trustworthy upstream (GitHub project, homepage, clear publisher), treat the package as untrusted and do not run it.

Capability Analysis

Type: OpenClaw Skill Name: newsnow Version: 1.0.0 The skill is classified as suspicious due to the broad `Bash(newsnow *)` and `Bash(npx newsnow *)` permissions granted in `SKILL.md`. While the stated purpose of fetching news is benign, these permissions allow the AI agent to execute the `newsnow` CLI tool with arbitrary arguments. Without access to the `newsnow` tool's source code, there's an unmitigated risk of command injection if the tool itself does not properly sanitize user-supplied input, potentially leading to arbitrary code execution if an attacker crafts a malicious prompt for the agent. This represents a significant vulnerability rather than direct malicious intent within the provided skill definition.

Capability Assessment

⚠ Purpose & Capability

The SKILL.md describes a Node.js CLI (newsnow) and explicitly says "Requires npm install" / suggests using npx. The registry entry, however, declares no install spec, no source/homepage, and no required binaries. That mismatch (describing a package but providing no origin or install instructions) is disproportionate to the stated purpose because an agent or user following the README would fetch code from npm with npx without the registry vetting where it comes from.

ℹ Instruction Scope

The instructions themselves are narrowly scoped to running the newsnow CLI and using --json; they do not instruct reading unrelated files or exfiltrating data. However they direct the operator/agent to run npm/npx to fetch external code at runtime (implicit network fetch and execution), which expands the attack surface beyond a pure instruction-only skill.

⚠ Install Mechanism

There is no install spec in the registry, yet SKILL.md requires npm install / suggests npx. That means the expected install comes from the public npm registry (or npx resolving a package) but the package name, publisher, and homepage are not provided in the skill metadata — making it unclear what will be downloaded and executed. Instruction-only skills that tell agents to npx unknown packages create higher risk.

⚠ Credentials

SKILL.md lists PRODUCTHUNT_API_TOKEN as required for the producthunt source, but the registry's required env vars list is empty. This inconsistency means an agent or user may be asked for a secret that wasn't declared up-front. The single env var is plausible for Product Hunt integration, but it should be declared in the metadata.

✓ Persistence & Privilege

The skill does not request persistent presence (always:false) and does not appear to modify other skills or agent configs. Autonomous invocation is allowed (default) but not combined with other high-privilege requests.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install newsnow
After installation, invoke the skill by name or use /newsnow
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

newsnow 1.0.0 initial release - Fetch trending news and hot topics from 66 sources across 44 platforms. - Supports structured JSON output with news details (title, URL, metadata). - Includes commands for listing all sources and fetching news from specific platforms. - API token required for some sources (e.g., PRODUCTHUNT_API_TOKEN). - Known limitations: Some sources may be blocked or inaccessible from certain regions.

Metadata

Slug newsnow

Version 1.0.0

License —

All-time Installs 9

Active Installs 9

Total Versions 1

Frequently Asked Questions

What is newsnow?

CLI tool to fetch trending news and hot topics from 66 sources across 44 platforms. Returns structured news items with titles, URLs, and metadata. USE FOR: -... It is an AI Agent Skill for Claude Code / OpenClaw, with 1214 downloads so far.

How do I install newsnow?

Run "/install newsnow" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is newsnow free?

Yes, newsnow is completely free (open-source). You can download, install and use it at no cost.

Which platforms does newsnow support?

newsnow is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created newsnow?

It is built and maintained by chencheng (云谦) (@sorrycc); the current version is v1.0.0.

More Skills