Multi-Source Feed

Set up and manage an AI-curated daily tech brief from customizable sources. Use when user says "set up multi-source-feed", "configure my daily brief", or "ms...

What to check before installing: - Missing/unclear declared secrets: the registry only lists TAVILY_API_KEY, but SKILL.md asks for PRODUCTHUNT_API_TOKEN as well — confirm you want to provide both and add PRODUCTHUNT_API_TOKEN to the .env. Ask the author why the registry metadata omits it. - X/Twitter session access: the skill requires you to open Chrome with --remote-debugging-port and then runs login_save_session.py to extract your browser storage_state (cookies/auth) into x_session.json. That file contains your logged-in session and can be used to act as you on X. Only proceed if you trust the code; consider inspecting login_save_session.py and the scraping scripts yourself. Do not upload or share x_session.json. - Review the code and origin: the SKILL.md clones https://github.com/zidooong/multi-source-feed; verify that repository, its commit/tag, and its README match the bundle you received. The bundle contains code but still instructs cloning upstream — reconcile this before running. Prefer cloning a specific release/tag rather than HEAD. - Run in an isolated environment: install into a disposable VM/container or a dedicated user account to limit blast radius (cron jobs and stored sessions will be local to that environment). - Inspect what the agent will send: confirm how the skill will deliver memos (OpenClaw gateway vs local integrations) and whether any messaging channel tokens are required or will be requested. If channel tokens are needed, ensure they are provided consciously and least-privileged. - If you want higher assurance: ask the publisher for a signed release, a small security note explaining cookie handling and retention policies, and a minimal install option that skips X scraping (so you can use only RSS/HN/GitHub/Product Hunt/Tavily). Confidence notes: assessment is 'suspicious' (medium confidence) because much of the behavior is coherent with the stated goal (aggregating many public sources), but the metadata/instructions mismatch (missing declared env vars, sensitive cookie capture, and duplicated clone vs included code) creates unexplained risks that should be resolved before trusting automatic installation.

Type: OpenClaw Skill Name: multi-source-feed Version: 1.0.1 The bundle implements a tech-brief aggregator that uses high-risk techniques to function. Specifically, SKILL.md and login_save_session.py instruct the user to expose Chrome's remote debugging port (9222) to allow the agent to programmatically extract and save X/Twitter session cookies to a local file (x_session.json). While this serves the stated purpose of scraping feeds without an API, the technique is identical to methods used by session-hijacking malware. Additionally, the SKILL.md instructions command the AI agent to automatically execute shell commands, install external dependencies, and modify crontabs, which creates a significant risk of unintended code execution or environment compromise.