网络安全情报爬虫

网络安全新闻爬虫，每小时自动从多个安全社区 RSS 抓取文章，存入 IMA 笔记。 触发场景：用户说"抓取安全新闻"、"网络安全日报"、"定时爬取安全资讯"、"安全新闻源管理" 或需要查看/管理安全新闻爬虫任务时使用此 skill。

What to check before installing/using this skill: - Metadata mismatch: the registry entry lists no required env vars, but SKILL.md and the scripts require IMA_OPENAPI_CLIENTID and IMA_OPENAPI_APIKEY (mandatory) and MINIMAX_API_KEY (for translation). Do not rely on the registry metadata alone. - Inspect run.sh: SKILL.md and instructions reference scripts/run.sh and say it hard-codes the IMA credentials. The manifest does not include run.sh — ask the author for the file or inspect it before running. If it hardcodes credentials, remove them and use environment variables instead. - openclaw.json access: vuln_crawler.py will try to read a global openclaw.json to fetch a MiniMax key if MINIMAX_API_KEY is not set. That means the skill attempts to read agent-level configuration outside its directory. If you keep other secrets in openclaw.json, this skill could read them (the code only looks for a specific key path, but it's still reading the file). Consider setting MINIMAX_API_KEY explicitly in the environment and/or ensure openclaw.json does not contain other sensitive secrets. - Credential scope: only provide the IMA note credentials to this skill (and the MINIMAX API key only if you need automatic translation). Avoid giving the skill broader credentials (e.g., AWS keys) — they are unnecessary for its stated purpose. - Cron/privilege changes: the SKILL.md suggests adding hourly cron jobs and uses system-level commands in examples. The included scripts do not automatically install cron entries, but if you or a provided run.sh install cron entries, verify it does not modify unrelated system configuration or include hardcoded secrets. - Audit network endpoints: the scripts contact the IMA API (https://ima.qq.com) and MiniMax (https://api.minimaxi.com) and fetch many external RSS URLs. If you have network egress policies, allow only the expected endpoints. - Missing files / truncated code: the provided vuln_crawler.py was truncated in the listing; request the full source and the absent run.sh to complete your review. Without the full code, there is residual uncertainty. If you want to proceed, recommended safe steps: run the scripts in an isolated environment, provide only the minimal env vars (IMA creds and optionally MINIMAX_API_KEY), inspect or create a run.sh yourself that does not hard-code secrets, and verify openclaw.json is not readable or does not contain extra secrets you don't want the skill to access.

Type: OpenClaw Skill Name: sec-news-crawler Version: 1.0.0 The skill bundle implements a security news and CVE crawler but contains several security vulnerabilities and risky behaviors. Specifically, `scripts/vuln_crawler.py` explicitly disables SSL certificate verification (using ssl.CERT_NONE) for multiple external data sources and programmatically attempts to read the main `openclaw.json` configuration file from a parent directory to extract API keys. Additionally, the documentation in `SKILL.md` suggests that sensitive API credentials for the IMA platform are hardcoded in the execution scripts, which is a significant security flaw.