← 返回 Skills 市场
newspaper-download-skill
作者
1787812757
· GitHub ↗
· v1.0.0
· MIT-0
75
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install newspaper-download-skill
功能描述
报刊 PDF 下载工具。通过 CLI 命令查询已收录的报刊更新、定位指定期次、获取 PDF 下载链接。查询不鉴权,下载需要 Import Token。Newspaper/magazine PDF download tool. Use CLI commands to query collected issues,...
安全使用建议
This skill is plausible for getting PDF download links, but exercise caution before installing or using it: 1) The script deliberately bypasses system proxies and disables TLS certificate checks — that can circumvent corporate/network controls and make connections vulnerable to interception. If you run this inside a managed environment, this alone is a strong reason to avoid it. 2) The tool reads an import token from config.json (or IMPORT_TOKEN env) and returns download URLs that include that token — anyone with those URLs can use your token; treat it like a secret. 3) SKILL.md insists you only run the packaged CLI; review the full get_data.py to confirm it never writes files, exfiltrates other secrets, or performs unexpected actions when run without --no-save. 4) Prefer skills with a known source/homepage and audited TLS behavior; if you need this functionality, consider implementing a small trusted client that honors system proxy settings and validates certificates, or run this script in an isolated environment after a careful code review.
功能分析
Type: OpenClaw Skill
Name: newspaper-download-skill
Version: 1.0.0
The skill bundle contains a Python script (scripts/get_data.py) that intentionally disables SSL certificate verification (ssl.CERT_NONE) and bypasses system proxies to communicate with pick-read.vip. While these behaviors are documented as workarounds for connectivity issues in AI sandboxes, they constitute a significant security vulnerability by exposing the user's 'import_token' to potential Man-in-the-Middle (MITM) attacks. Per the instructions, this high-risk vulnerability is classified as suspicious rather than malicious as it appears to be a functional choice rather than an intentional exploit.
能力评估
Purpose & Capability
Name, description, required binary (python3), config.json and the script all align with a CLI tool that queries an OCR/download API (pick-read.vip). Accepting an import token and an API base is expected.
Instruction Scope
SKILL.md mandates using the packaged CLI (not curl/requests) and always using --no-save, and the code indeed performs network requests to the API. However the instructions forbid direct API calls while the code itself bypasses system proxies and can disable TLS checks; this expands the runtime's network behavior beyond what a user might expect and reduces transparency.
Install Mechanism
No install spec (instruction-only with included script). That keeps risk lower than arbitrary remote installs. The repository contains a local Python script only; nothing is fetched/installed at install time.
Credentials
No required env vars are declared; the script optionally respects OCR_API_BASE and IMPORT_TOKEN which is reasonable. However the skill stores/reads an import token in config.json and returns URLs containing the token — users should recognize that sharing those URLs leaks the token. The number of credentials requested is minimal.
Persistence & Privilege
always:false and no special install-time persistence. But the SKILL.md's strict 'do not save' rule contrasts with code that defines DEFAULT_OUTPUT_DIR and may be able to write files if invoked without --no-save. More critically, the code bypasses system proxies (ProxyHandler({})) and uses SSL contexts that disable certificate verification — giving the script the ability to make direct, unverified outbound network connections that can circumvent platform or network policies.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install newspaper-download-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/newspaper-download-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
报刊 PDF 下载工具:通过 CLI 命令可查询主流国际报刊(如 The New York Times、The Wall Street Journal、The Economist、The Guardian 等)的最新更新情况,定位指定期次,并获取 PDF 下载链接。查询功能无需鉴权,下载需配置 Import Token。
Newspaper & magazine PDF download tool: Use CLI commands to check update status of leading publications (such as The New York Times, The Wall Street Journal, The Economist, The Guardian), locate specific issues, and retrieve PDF download links. No authentication is required for queries; downloading requires an Import Token.
元数据
常见问题
newspaper-download-skill 是什么?
报刊 PDF 下载工具。通过 CLI 命令查询已收录的报刊更新、定位指定期次、获取 PDF 下载链接。查询不鉴权,下载需要 Import Token。Newspaper/magazine PDF download tool. Use CLI commands to query collected issues,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 75 次。
如何安装 newspaper-download-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install newspaper-download-skill」即可一键安装,无需额外配置。
newspaper-download-skill 是免费的吗?
是的,newspaper-download-skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
newspaper-download-skill 支持哪些平台?
newspaper-download-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 newspaper-download-skill?
由 1787812757(@1787812757)开发并维护,当前版本 v1.0.0。
推荐 Skills