← 返回 Skills 市场

News Sum

Name: News Sum
Author: liliangjie91

作者 Leonard · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install news-sum

功能描述

新闻汇总与邮件投递技能。当用户要求"生成今日新闻汇总"、"把新闻发给邮箱"时触发。支持：(1) 接收用户指定主题，搜索生成新闻汇总；(2) 按用户要求投递到指定邮箱。

安全使用建议

Before installing or enabling this skill, verify these points: (1) Confirm how email sending will be authenticated: the SKILL.md uses 'gog gmail send' but the skill declares no required binary or any credentials — ask the author where 'gog' comes from and what credentials it needs. Do not provide broad Gmail/SMTP credentials until you trust the CLI and source. (2) Resolve the contradiction about temporary files: the skill says 'convert in memory, no temp files' but also attaches a file path; ensure attachments are created only in a controlled workspace path. (3) Command injection risk: the send command interpolates user-supplied EmailTarget and HTML into a shell command. Make sure placeholders are properly escaped or use an API/SDK instead of raw shell formatting. (4) Review privacy: the skill will fetch many web pages (English + Chinese results) and may include scraped content in outgoing emails; confirm you are comfortable with that data leaving your agent. (5) If you proceed, require the author to declare the exact binary dependency and the minimal credential scope (e.g., a dedicated, limited-scope SMTP account or OAuth token), or modify the skill to use the platform's audited mail API to avoid shell/credential issues.

功能分析

Type: OpenClaw Skill Name: news-sum Version: 1.0.0 The news-sum skill implements a multi-agent workflow for news aggregation and email delivery. A significant security risk is identified in `SKILL.md`, where the email delivery function uses a shell command (`gog gmail send`) that wraps dynamic HTML content inside a subshell `$(printf '%s' ...)`. This pattern is highly susceptible to shell injection if the aggregated news content contains malicious sequences. While the logic appears aligned with its stated purpose, the unsafe handling of shell execution warrants a suspicious classification.

能力评估

⚠ Purpose & Capability

The skill claims to collect news and optionally send it by email, which is reasonable. However, the SKILL.md instructs the agent to run the external CLI command 'gog gmail send' to deliver mail yet the skill declares no required binaries and no credentials. Sending mail normally requires an authenticated mail client or credentials; that capability is not declared. This is an incoherence between claimed purpose and requested/declared resources.

⚠ Instruction Scope

Instructions read and write workspace files and spawn subagents for reporters/editors (reasonable for an aggregator). Concerns: (1) contradictory guidance — 'convert markdown to HTML in memory, do not generate temporary files' vs. the send command that uses --attach pointing to a file path (implies a file must exist). (2) The email send uses a shell command with user-supplied placeholders (--to="{EmailTarget}" and --body-html="$(printf '%s' '{HTML内容}')"); if placeholders are not properly escaped, this creates command-injection risk. (3) It relies on platform tools 'web_search' and 'fetch__fetch' (expected) but these will perform broad web fetching — acceptable for the stated purpose but increases data fetched/transmitted.

✓ Install Mechanism

No install spec (instruction-only) — lowest install risk. Nothing is being downloaded or written by an installer in this skill bundle.

⚠ Credentials

The skill declares no required environment variables or credentials, yet runtime steps require authenticated email delivery (gog gmail send) and potentially access to web fetching services. The lack of declared credentials (e.g., Gmail OAuth token, SMTP creds, or a configured 'gog' CLI) is disproportionate to the email-delivery capability and is a notable omission.

✓ Persistence & Privilege

always:false and user-invocable:true (defaults) — no forced always-on privilege. The skill instructs spawning subagents (sessions_spawn), which is normal for complex multi-step agents; nothing in the bundle requests persistent system-wide changes or modifies other skills' configuration.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install news-sum
安装完成后，直接呼叫该 Skill 的名称或使用 /news-sum 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

news-sum 1.0.0 - 初始发布，支持多主题新闻获取、汇总与结构化写作。 - 实现主编—编辑—记者三层并行分工，自动跟踪持续事件与报道热点。 - 支持新闻每日总结自动发送至指定邮箱，内置 Markdown 转 HTML 转换流程。 - 默认支持“国际局势”“经济金融”“科技AI”三大主题。 - 新闻汇总及近期热点支持文件归档与自动滚动更新。

元数据

Slug news-sum

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题

News Sum 是什么？

新闻汇总与邮件投递技能。当用户要求"生成今日新闻汇总"、"把新闻发给邮箱"时触发。支持：(1) 接收用户指定主题，搜索生成新闻汇总；(2) 按用户要求投递到指定邮箱。它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 68 次。

如何安装 News Sum？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install news-sum」即可一键安装，无需额外配置。

News Sum 是免费的吗？

是的，News Sum 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

News Sum 支持哪些平台？

News Sum 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 News Sum？

由 Leonard（@liliangjie91）开发并维护，当前版本 v1.0.0。