← 返回 Skills 市场
77
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install news-sum-lite
功能描述
轻量新闻日报 skill。触发条件:用户说"今日新闻"、"新闻日报"、"生成今日新闻"。主打快速、轻量、一气呵成。
安全使用建议
Before installing or enabling this skill, ask the author to clarify and fix these issues: (1) Declare required binaries and tools (e.g., npx/node, the 'gog' gmail CLI) or provide an install spec; (2) Declare any environment variables or credentials needed for sending email (OAuth tokens, API keys) and explain how credentials are obtained/stored; (3) Fix placeholder inconsistencies ({todays-brief.md} vs brief-yyyymmdd.md and {aim-email}) and explain how the recipient is determined (prompt user each run vs configured env var); (4) Confirm the skill is allowed to write to archive/news/brief/ and document what it writes; (5) If you don't want the skill to run shell commands on the host, request a version that uses only platform-provided tooling or a documented API. Because the current instructions assume undeclared tooling and credentials, proceed cautiously — do not grant it access to sensitive email credentials or broad filesystem write permissions until these questions are resolved.
功能分析
Type: OpenClaw Skill
Name: news-sum-lite
Version: 1.0.0
The skill automates news aggregation and delivery via email but contains a shell injection vulnerability in SKILL.md. Step 5 executes a bash command that incorporates the variable '$HTML' and placeholders like '{todays-brief.md}' without proper sanitization or quoting, which could allow for arbitrary command execution if the news content or filenames are manipulated. While the intent appears benign and aligned with the stated purpose, the insecure handling of shell execution poses a security risk.
能力评估
Purpose & Capability
The described purpose (generate and send a daily news brief) matches the actions in SKILL.md (search, summarize, save, email). However the instructions depend on external search tools (web_search, tavily_search) and command-line tools (npx marked, gog gmail send) that are not declared in the metadata. That mismatch (instructions requiring binaries/credentials that the registry metadata does not list) is disproportionate to the stated lightweight intent.
Instruction Scope
SKILL.md directs the agent to perform web searches, write a markdown file to archive/news/brief/brief-yyyymmdd.md, and run shell commands to convert Markdown to HTML and send mail. It requires selecting sources 1:1 domestic/international and forbids hallucination. The instructions contain inconsistent placeholders ({todays-brief.md} vs brief-yyyymmdd.md and {aim-email} without explanation), assume availability of search tools and a gmail CLI, and do not explain where email credentials or recipient addresses come from. These are scope and clarity issues that could cause unexpected behavior or require credentials not declared.
Install Mechanism
There is no install spec (instruction-only), which is lower risk in itself. However the runtime commands imply dependencies on node/NPM (npx marked) and a third-party 'gog gmail send' CLI. Because no install steps or provenance for those tools are provided, the skill implicitly requires external binaries that the platform may not have — a deployment/operational concern but not an explicit install risk in the package itself.
Credentials
The registry shows no required environment variables or credentials, yet the instructions perform email sending (which typically requires OAuth tokens or API keys) and write to local archive paths. The skill fails to declare any email credentials, token locations, or config paths. Requesting the ability to send email and write files without declaring where credentials or recipient addresses come from is disproportionate and under-specified.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill writes files to archive/news/brief/… and invokes system commands — these are reasonable for its function, but users should be aware it will create files and run external commands when invoked. Because autonomous invocation is allowed by default, those actions could occur without repeated prompts if the agent is given broader permissions; this increases blast radius but is not, by itself, a disqualifying privilege.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install news-sum-lite - 安装完成后,直接呼叫该 Skill 的名称或使用
/news-sum-lite触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
news-sum-lite v1.0.0
- Initial release of a lightweight news summary skill supporting commands like "今日新闻", "新闻日报", and "生成今日新闻".
- Generates daily news reports quickly in Chinese, focusing on international affairs, economy/finance, and tech/AI.
- Ensures balanced Chinese and international news sources, using both web_search and tavily_search.
- Summarizes each news item (approx. 300 characters) with title, date, source, and link, in a strict markdown template.
- Adds one proactively explored related topic per day.
- Formats, saves, and auto-emails the daily report as both markdown attachment and styled HTML body.
元数据
常见问题
News Sum Lite 是什么?
轻量新闻日报 skill。触发条件:用户说"今日新闻"、"新闻日报"、"生成今日新闻"。主打快速、轻量、一气呵成。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 77 次。
如何安装 News Sum Lite?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install news-sum-lite」即可一键安装,无需额外配置。
News Sum Lite 是免费的吗?
是的,News Sum Lite 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
News Sum Lite 支持哪些平台?
News Sum Lite 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 News Sum Lite?
由 Leonard(@liliangjie91)开发并维护,当前版本 v1.0.0。
推荐 Skills