← 返回 Skills 市场

News Monitor

Name: News Monitor
Author: zxcnny930

作者 zxcnny930 · GitHub ↗ · v1.0.0

darwinlinuxwin32 ⚠ suspicious

514

总下载

当前安装

版本数

在 OpenClaw 中安装

/install news-monitor

功能描述

Real-time news aggregator with Discord & Telegram push. Manage Jin10, BlockBeats, RSS, X KOLs, Polymarket, OpenNews via REST API.

安全使用建议

This skill appears to be what it claims (a node-based news aggregator) but it asks you to fetch and run code from an external GitHub repo and to host an HTTP admin API that can be left unauthenticated. Before installing: (1) review the upstream repository source code yourself (or request the code be bundled into the skill) to check for concealed network exfiltration or privileged operations; (2) run it inside an isolated environment (container or VM) with limited network and file access; (3) set a strong dashboard.password and avoid leaving it blank; (4) do not supply production credentials (Discord webhooks, Telegram bot tokens, API keys) until you trust the code; (5) if you must run on a host, bind the service to localhost only and firewall the port; (6) prefer a skill that includes audited code in the bundle or is published from a known/verified source. If you want, I can list exact files or code locations to inspect next (e.g., startup scripts, config handling, outgoing request logic).

功能分析

Type: OpenClaw Skill Name: news-monitor Version: 1.0.0 This skill is classified as suspicious due to its reliance on external, potentially mutable, resources and the broad permissions it requires. The `SKILL.md` instructs the agent to `git clone` a repository from GitHub (`https://github.com/zxcnny930/buzz.git`) and then run `npm install`, which can execute arbitrary code from external npm packages. The `package.json` explicitly requests the `exec` tool, granting the agent the ability to run arbitrary shell commands. Furthermore, the skill is designed to handle and transmit sensitive API keys/tokens (e.g., Discord, Telegram, 6551.io, Grok/OpenAI) and allows configurable external API endpoints, increasing the attack surface for potential data exfiltration if the external repository, npm packages, or the local service itself were compromised.

能力评估

✓ Purpose & Capability

Name/description (news aggregator with Discord/Telegram push) align with the runtime instructions (clone repo, npm install, run server, configure sources and webhooks). Required binaries (node, npm) are appropriate for the stated purpose.

⚠ Instruction Scope

SKILL.md tells the user/agent to git clone https://github.com/zxcnny930/buzz.git, run npm install and npm start, then manage the running service via local HTTP endpoints. The API allows hot updates to config (including API keys, webhooks, bot tokens) and examples omit the password parameter; the doc explicitly says a blank password => no authentication. Running this service therefore grants an external repo code execution on your system and exposes an admin API that can be unauthenticated — both are scope/risk concerns relative to a typical 'skill' install.

⚠ Install Mechanism

There is no install spec in the registry bundle; instead SKILL.md instructs cloning and running a third‑party GitHub repository and running npm install (arbitrary remote code). While GitHub is a common host, fetching and executing upstream code at runtime is higher risk than an instruction-only skill that contains no external downloads.

ℹ Credentials

The skill declares no required env vars, which is reasonable, but the API and docs show it will store and use many sensitive values (discord webhookUrl, telegram botToken/chatId, grok/apiKey, etc.) in config.json. The package.json metadata references agent tools like exec/read, indicating the skill expects shell execution abilities. Requiring secrets at runtime (in config) is proportionate to the service, but the registry does not explicitly require or limit these credentials — review before providing them.

⚠ Persistence & Privilege

The instructions run a long‑running local server (default port 3848) that accepts configuration changes via HTTP. Although always:false (not force-installed), the service persists while running and can be left reachable. Because the server can operate without a password if misconfigured, it may be remotely or locally manipulated. This persistent network presence increases attack surface.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install news-monitor
安装完成后，直接呼叫该 Skill 的名称或使用 /news-monitor 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Buzz v1.0.0: Initial release – real-time news aggregator with REST API and Discord/Telegram push. - Aggregates news from Jin10, BlockBeats, RSS, X KOLs, Polymarket, and OpenNews. - REST API for all configuration, supporting hot-reload with no restarts. - Discord and Telegram push notifications supported. - Includes endpoints for config, status, KOL management, health check, and real-time SSE news stream. - Supports password-protected endpoints (optional) and redacts sensitive fields from responses. - Detailed examples and schema provided in documentation.

元数据

Slug news-monitor

版本 1.0.0

许可证 —

累计安装 6

当前安装数 6

历史版本数 1

常见问题

News Monitor 是什么？

Real-time news aggregator with Discord & Telegram push. Manage Jin10, BlockBeats, RSS, X KOLs, Polymarket, OpenNews via REST API. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 514 次。

如何安装 News Monitor？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install news-monitor」即可一键安装，无需额外配置。

News Monitor 是免费的吗？

是的，News Monitor 完全免费（开源免费），可自由下载、安装和使用。

News Monitor 支持哪些平台？

News Monitor 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（darwin, linux, win32）。

谁开发了 News Monitor？

由 zxcnny930（@zxcnny930）开发并维护，当前版本 v1.0.0。