by 安全扫描
OpenClaw
安全
high confidenceThe skill's code, scripts, and runtime instructions are consistent with a news-aggregation and push service: it asks the agent to fetch/search public news sources, stores only small user preference files under data/users, and installs no external packages or credential requirements.
评估建议
This skill appears to do what it says: aggregate public RSS feeds and web searches and generate briefings and scheduled push notifications. Before installing, consider: 1) the agent will perform network fetches and searches of public sites at runtime — if you have privacy concerns, review which sources are fetched (RSS list is in scripts/rss-fetch.js); 2) the skill will store minimal user preference files under data/users/<userId>.json on the host — ensure you’re comfortable with that storage lo...详细分析 ▾
✓ 用途与能力
Name/description (RSS + WebSearch aggregation, morning/evening brief, breaking alerts, topic tracking, multi-channel push) matches the included scripts and SKILL.md. The scripts implement registration, preference storage, cron registration, prompt generation for morning/evening/breaking briefings, and an RSS feed list — all expected for this purpose.
ℹ 指令范围
SKILL.md and scripts explicitly instruct the agent to perform WebSearch/WebFetch of public RSS and web pages and to produce summaries — this is necessary for a news aggregator but does mean the agent will fetch content from many external sites at runtime. The scripts that claim 'no network I/O' are prompt generators (they output instructions for the agent to webfetch) which is consistent but worth noting. The skill only asks the agent to read/write data under data/users for preferences; inputs are sanitized to avoid path traversal.
✓ 安装机制
No install spec or external downloads; this is an instruction-and-script-only skill (Node >=18 runtime). No archive downloads or third-party package installs are performed by the skill itself.
✓ 凭证需求
The skill requests no environment variables or external credentials. It does construct cron messages referencing channel names (telegram/feishu/slack/discord) and userId, but it does not request channel tokens or API keys itself — platform-level channel credentials would be used by OpenClaw, which is appropriate and proportional.
✓ 持久化与权限
always is false (not force-included). The skill writes/reads small JSON profiles under data/users/<userId>.json to store preferences and push status; file IO includes path checks and id sanitization to mitigate path traversal. It also emits __OPENCLAW_CRON_ADD__/__OPENCLAW_CRON_RM__ console tokens to register cron jobs with the platform, which is expected for scheduled push behavior.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.0.32026/3/25
NewsToday 2.0.3 - No file or content changes detected since the previous version. - All features, descriptions, and usage remain unchanged.
● 无害
安装命令 点击复制
官方npx clawhub@latest install newstoady
镜像加速npx clawhub@latest install newstoady --registry https://cn.clawhub-mirror.com
技能文档
私人新闻助手 — 早报 · 晚报 · RSS聚合 · 突发提醒 · 话题追踪 · 个性化推送
何时使用
- 用户说"早报""今天新闻""新闻摘要""今天发生了什么"
- 用户问"热搜""微博热榜""知乎热榜"
- 用户想看某类新闻:科技、财经、娱乐、体育、社会、国际
- 用户说"追踪 XX""XX 最新消息""XX 怎么样了"
- 用户说"开启推送""订阅早报""每天推新闻"
- 用户说"突发""重大消息""有什么大事"
🌐 语言规则
- 默认中文;用户英文提问切英文
- 新闻标题保留原文,摘要用回复语言改写
📋 功能说明
早报
从 RSS(新浪/澎湃/36氪/BBC中文/Reuters中文)+ WebSearch 双源聚合,去重后选10条覆盖不同领域,按用户话题偏好加权排序,每条含标题、来源、2句摘要。晚报
收官3-5条当日重要新闻 + 1-2条热点最新进展 + 明日日程预告。突发新闻提醒
每2小时检测(08:00-22:00),仅在满足阈值(7级以上地震、市场熔断、重大政策等)时推送,不骚扰用户。热榜聚合
搜索微博热搜 + 知乎热榜 + 百度热搜,去重合并,标注来源,多平台共同热点置顶。话题追踪
搜索{关键词} 最新 {日期} + {关键词} 进展 + {关键词} 官方回应,时间线倒序输出,含各方反应。深读
用户回复序号或说"详细说说 XX"时,多角度搜索,交叉验证,呈现详细经过、各方反应、延伸阅读。分类浏览
| 分类 | 搜索词 |
|---|---|
| 科技 | 科技新闻 今日、AI新闻 |
| 财经 | 财经新闻 今日、股市 |
| 娱乐 | 娱乐新闻 今日 |
| 体育 | 体育新闻 今日、赛事结果 |
| 社会 | 社会新闻 今日、民生 |
| 国际 | 国际新闻 今日、外交 |
🔧 脚本说明
# 注册(可选,解锁个性化推送)
node scripts/register.js [language] [topics] [channel]
# 示例:
node scripts/register.js alice zh 科技,财经,国际 telegram
node scripts/register.js bob en tech,finance telegram# 话题偏好
node scripts/preference.js show
node scripts/preference.js set <话题> <权重0-1>
node scripts/preference.js reset
# 手动触发(不需要注册)
node scripts/morning-push.js [userId]
node scripts/evening-push.js [userId]
node scripts/rss-fetch.js [--lang zh|en] [--topics 科技,财经,国际]
node scripts/breaking-alert.js
# 推送管理
node scripts/push-toggle.js on [--morning 08:00] [--evening 20:00] [--channel telegram]
node scripts/push-toggle.js off
node scripts/push-toggle.js status
支持渠道:telegram / feishu / slack / discord
⚠️ 注意事项
- 每条新闻必须标注来源媒体
- 涉及争议内容呈现多方视角,不做立场判断
- 不注册可直接使用早晚报;注册后可按话题个性化、开启突发提醒
- 用户数据仅存储推送偏好和话题权重(
data/users/),不含新闻内容.json - RSS 源无法访问时自动降级为 WebSearch,不影响正常使用
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制