← 返回 Skills 市场
487
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install multi-source-news-digest
功能描述
Aggregates and scores technology news daily from 100+ RSS feeds, GitHub releases, and web sources, providing customizable, filtered tech news digests.
安全使用建议
This skill mostly does what its name promises (aggregate tech news) but has several red flags you should consider before installing:
- The code uses subprocess.run with dynamically constructed Python -c strings that embed config values (RSS URLs and repo strings). If those config values are modified by an attacker or come from untrusted input, they could lead to arbitrary code execution. Ask the author to remove subprocess -c usage and call requests/feedparser directly in-process.
- Some advertised sources (Twitter/X, web scraping) are mentioned in descriptions/config but are not actually implemented — verify the feature set if you need those sources.
- The GitHub endpoints in config appear incorrect/unexpected; confirm how GitHub data is fetched and whether authentication is required for your use case.
- test_skill.py contains a hardcoded absolute path (/home/pan/...) — likely a leftover from development. That is not a direct runtime threat but indicates the repo wasn't fully cleaned.
- Because the skill makes outbound HTTP requests, run it in a sandboxed environment or restricted network if you want to limit data exfiltration risk, and review/replace the subprocess calls before granting production use.
If you decide to proceed: require the maintainer to (1) replace subprocess -c calls with in-process library calls that properly validate/escape inputs, (2) fix/clarify GitHub source usage, (3) remove development hardcoded paths, and (4) document exactly which external endpoints will be contacted and whether credentials are ever required.
功能分析
Type: OpenClaw Skill
Name: multi-source-news-digest
Version: 1.0.0
The `skill.py` file contains a critical code injection vulnerability. It uses `subprocess.run` to execute Python code, directly embedding user-configurable URLs (`rss_sources` and `github_repos` from `config.json`) into f-strings. As `SKILL.md` explicitly states that `config.json` is user-editable, an attacker could modify these URLs to inject arbitrary Python code, leading to Remote Code Execution (RCE) on the agent. While the provided `config.json` contains benign URLs, the underlying implementation flaw makes the skill highly risky.
能力评估
Purpose & Capability
The name/description claim aggregation from RSS, GitHub releases, and web sources (and mention Twitter/X). The code implements RSS fetching and GitHub release fetching, but GitHub endpoints in config are incorrect/unusual ('https://api.github.com/repos/trending'), and there is no real Twitter/X ingestion or web scraping implementation beyond listing a few web URLs in config. The inclusion of package.json/requirements is reasonable for an aggregator, but some declared sources and descriptions (Twitter/X, web scraping) are not implemented, which is an incoherence.
Instruction Scope
Runtime code uses subprocess.run to execute dynamically constructed Python -c one-liners that embed config values (source_url and repo) directly into the command string. That pattern can lead to command/Python code injection if config values are attacker-controlled or maliciously modified. The SKILL.md usage instructions are straightforward (python skill.py digest/list/refresh) and do not request secrets, but the implementation detail of spawning an interpreter for each fetch is unnecessary and risky compared to using the imported libraries directly. test_skill.py also hardcodes an absolute path (/home/pan/...) which is a leftover artifact and may leak local paths.
Install Mechanism
There is no install spec (instruction-only install), which minimizes install-time risk. The repository includes requirements.txt and package.json (declaring common libraries requests, feedparser, beautifulsoup4) — expected for this kind of skill. No remote downloads or extract operations are present.
Credentials
The skill does not request environment variables, credentials, or special config paths. The default config lists external endpoints (RSS/GitHub/Google News/Techmeme) but there are no access tokens or secrets requested, which is proportionate for a public-news aggregator.
Persistence & Privilege
The skill does not set always: true and is user-invocable only (default). The included trigger_config.json sets an auto-start cron schedule and notification channels, but that appears to be a platform trigger config, not an internal mechanism that modifies other skills or system-wide settings. Autonomous invocation by the agent is allowed by default (platform standard).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install multi-source-news-digest - 安装完成后,直接呼叫该 Skill 的名称或使用
/multi-source-news-digest触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of Multi Source Tech News Digest.
- Aggregates technology news from 109+ sources, including RSS feeds, GitHub releases, and web pages.
- Automatically scores and filters news based on tech relevance and source credibility.
- Provides configurable source lists, scoring thresholds, and daily formatted news digests.
- Includes commands to generate digests, list news, and refresh data.
- Customizable via config.json for sources and filtering preferences.
元数据
常见问题
Multi Source Tech News Digest 是什么?
Aggregates and scores technology news daily from 100+ RSS feeds, GitHub releases, and web sources, providing customizable, filtered tech news digests. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 487 次。
如何安装 Multi Source Tech News Digest?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install multi-source-news-digest」即可一键安装,无需额外配置。
Multi Source Tech News Digest 是免费的吗?
是的,Multi Source Tech News Digest 完全免费(开源免费),可自由下载、安装和使用。
Multi Source Tech News Digest 支持哪些平台?
Multi Source Tech News Digest 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Multi Source Tech News Digest?
由 Haloha(@pyh-pan)开发并维护,当前版本 v1.0.0。
推荐 Skills