← 返回 Skills 市场
sorrycc

newsnow

作者 chencheng (云谦) · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
1214
总下载
11
收藏
9
当前安装
1
版本数
在 OpenClaw 中安装
/install newsnow
功能描述
CLI tool to fetch trending news and hot topics from 66 sources across 44 platforms. Returns structured news items with titles, URLs, and metadata. USE FOR: -...
安全使用建议
This skill's README expects you to install/run a Node package (npx newsnow) but the registry gives no package URL, homepage, or install spec and fails to declare the PRODUCTHUNT_API_TOKEN env var it mentions. Before installing or running this skill: 1) find the npm package name and publisher and verify the project homepage/source code and maintainer reputation; 2) avoid supplying secrets (API tokens) until you confirm the package's source and intent; 3) prefer running npx in an isolated environment (container or sandbox) and inspect the fetched package contents before execution; 4) if you can't find a trustworthy upstream (GitHub project, homepage, clear publisher), treat the package as untrusted and do not run it.
功能分析
Type: OpenClaw Skill Name: newsnow Version: 1.0.0 The skill is classified as suspicious due to the broad `Bash(newsnow *)` and `Bash(npx newsnow *)` permissions granted in `SKILL.md`. While the stated purpose of fetching news is benign, these permissions allow the AI agent to execute the `newsnow` CLI tool with arbitrary arguments. Without access to the `newsnow` tool's source code, there's an unmitigated risk of command injection if the tool itself does not properly sanitize user-supplied input, potentially leading to arbitrary code execution if an attacker crafts a malicious prompt for the agent. This represents a significant vulnerability rather than direct malicious intent within the provided skill definition.
能力评估
Purpose & Capability
The SKILL.md describes a Node.js CLI (newsnow) and explicitly says "Requires npm install" / suggests using npx. The registry entry, however, declares no install spec, no source/homepage, and no required binaries. That mismatch (describing a package but providing no origin or install instructions) is disproportionate to the stated purpose because an agent or user following the README would fetch code from npm with npx without the registry vetting where it comes from.
Instruction Scope
The instructions themselves are narrowly scoped to running the newsnow CLI and using --json; they do not instruct reading unrelated files or exfiltrating data. However they direct the operator/agent to run npm/npx to fetch external code at runtime (implicit network fetch and execution), which expands the attack surface beyond a pure instruction-only skill.
Install Mechanism
There is no install spec in the registry, yet SKILL.md requires npm install / suggests npx. That means the expected install comes from the public npm registry (or npx resolving a package) but the package name, publisher, and homepage are not provided in the skill metadata — making it unclear what will be downloaded and executed. Instruction-only skills that tell agents to npx unknown packages create higher risk.
Credentials
SKILL.md lists PRODUCTHUNT_API_TOKEN as required for the producthunt source, but the registry's required env vars list is empty. This inconsistency means an agent or user may be asked for a secret that wasn't declared up-front. The single env var is plausible for Product Hunt integration, but it should be declared in the metadata.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not appear to modify other skills or agent configs. Autonomous invocation is allowed (default) but not combined with other high-privilege requests.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install newsnow
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /newsnow 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
newsnow 1.0.0 initial release - Fetch trending news and hot topics from 66 sources across 44 platforms. - Supports structured JSON output with news details (title, URL, metadata). - Includes commands for listing all sources and fetching news from specific platforms. - API token required for some sources (e.g., PRODUCTHUNT_API_TOKEN). - Known limitations: Some sources may be blocked or inaccessible from certain regions.
元数据
Slug newsnow
版本 1.0.0
许可证
累计安装 9
当前安装数 9
历史版本数 1
常见问题

newsnow 是什么?

CLI tool to fetch trending news and hot topics from 66 sources across 44 platforms. Returns structured news items with titles, URLs, and metadata. USE FOR: -... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1214 次。

如何安装 newsnow?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install newsnow」即可一键安装,无需额外配置。

newsnow 是免费的吗?

是的,newsnow 完全免费(开源免费),可自由下载、安装和使用。

newsnow 支持哪些平台?

newsnow 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 newsnow?

由 chencheng (云谦)(@sorrycc)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论