← 返回 Skills 市场
54
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install rss-agg
功能描述
Parse, aggregate and process RSS/Atom feeds. Use when user wants to track multiple RSS feeds, create personalized news digest, monitor blog updates, or build...
安全使用建议
This skill is functionally coherent for aggregating feeds, but review the following before using: 1) The script disables TLS certificate verification (ctx.check_hostname=False; ctx.verify_mode=ssl.CERT_NONE). That makes feed downloads vulnerable to man-in-the-middle attacks — consider removing those lines so certificates are validated. 2) The code uses Python's xml.etree.ElementTree without explicit protections; consider using a hardened XML parser (e.g., defusedxml) to prevent XML external entity (XXE) issues. 3) The script will fetch any URL you provide (including internal network addresses); avoid pointing it at sensitive internal endpoints or run it in a restricted/containerized environment. 4) SKILL.md examples use external notification tools (telegram-send) — ensure any notification integrations are configured safely and you understand what data will be transmitted. If you want to proceed, run this in an isolated environment, sanitize feed lists, and patch the TLS/XML issues first.
功能分析
Type: OpenClaw Skill
Name: rss-agg
Version: 1.0.0
The RSS aggregator skill contains significant security vulnerabilities in `scripts/aggregator.py`. Specifically, the script explicitly disables SSL certificate verification (`ssl.CERT_NONE`), which exposes the agent to Man-in-the-Middle (MitM) attacks when fetching remote feeds. Furthermore, the use of the standard `xml.etree.ElementTree` library to parse untrusted XML data from the internet presents a risk of XML External Entity (XXE) attacks. While these are critical vulnerabilities, they lack clear evidence of intentional malice or data exfiltration.
能力评估
Purpose & Capability
The name/description match the included script and instructions: the code fetches feeds, parses RSS/Atom, filters, and formats output. There are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope
The SKILL.md instructs running the provided script and shows examples (including piping results to external tools like telegram-send). The bundled Python code fetches arbitrary URLs and parses XML. Notable risky behaviors in the runtime code: it explicitly disables TLS certificate validation (ssl.CERT_NONE and check_hostname=False) which permits MITM attacks, and it uses xml.etree.ElementTree without mitigations (raising potential XML parsing vulnerabilities). The SKILL.md's examples that call external notification tools mean outputs could be transmitted externally if the user configures them.
Install Mechanism
No install spec; code is provided directly. Nothing is downloaded from remote hosts during installation. This minimizes supply-chain risk.
Credentials
The skill requests no credentials or environment variables. There is no disproportionate credential request relative to its purpose.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills. It runs only when invoked.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install rss-agg - 安装完成后,直接呼叫该 Skill 的名称或使用
/rss-agg触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: RSS/Atom feed aggregation with filtering and multiple output formats
元数据
常见问题
Rss Aggregator 是什么?
Parse, aggregate and process RSS/Atom feeds. Use when user wants to track multiple RSS feeds, create personalized news digest, monitor blog updates, or build... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 54 次。
如何安装 Rss Aggregator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install rss-agg」即可一键安装,无需额外配置。
Rss Aggregator 是免费的吗?
是的,Rss Aggregator 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Rss Aggregator 支持哪些平台?
Rss Aggregator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Rss Aggregator?
由 BIN(@dinghaibin)开发并维护,当前版本 v1.0.0。
推荐 Skills