AI builders digest — monitors top AI builders on X and YouTube podcasts, remixes their content into digestible summaries. Use when the user wants AI industry...
Security Analysis
high confidenceThe skill mostly does what it says (fetches feeds and produces digests) but contains clear inconsistencies about required credentials and fetch behavior that you should understand before installing.
The name/description match the code: scripts fetch YouTube transcripts and X content and produce digests. Requiring node is appropriate. However the package claims “no API keys needed” in README/SKILL.md, while the code and CI expect a SUPADATA_API_KEY (and the GitHub workflow references an X_BEARER_TOKEN). Asking for SUPADATA_API_KEY is coherent with transcript fetching, but the public docs contradict that — this mismatch is notable.
Runtime instructions write/read config and state under ~/.follow-builders, fetch a remote default-sources.json from raw.githubusercontent.com, and may instruct creation of a .env file to store delivery credentials (Telegram/Resend). The SKILL.md text downplays API key needs, but fetch-content.js clearly calls Supadata endpoints using an API key. The skill also advises detecting the platform and may set cron jobs (OpenClaw vs system crontab). The instructions request reading/writing local files and storing delivery keys in ~/.follow-builders/.env — behavior that is within scope but more invasive than the README claims.
No formal install spec is provided (instruction-only), but the repo contains Node scripts and a package.json; npm install is required by the scripts. The code fetches remote JSON from GitHub (raw.githubusercontent) which is a well-known host. There are no downloads from obscure or shortener URLs. Overall install risk is moderate and typical for a Node-based skill.
Registry metadata lists a single required env var: SUPADATA_API_KEY (which matches fetch-content.js). But documentation repeatedly claims “no API keys needed,” and the GitHub workflow references X_BEARER_TOKEN (Twitter) which is not declared in requires.env. Additionally, deliver.js expects optional TELEGRAM_BOT_TOKEN and RESEND_API_KEY stored in ~/.follow-builders/.env for delivery. The combination of undocumented/optional credentials and contradictory README claims is disproportionate and confusing — users may unknowingly expose API keys or be surprised that a key is required to fetch transcripts.
The skill is not always:true and does not request elevated platform privileges. It creates and writes its own config and state under ~/.follow-builders (normal for a user-level agent). It also fetches a remote default-sources.json at runtime, which lets the maintainer update the tracked list centrally — this is reasonable for the feature but worth noting as a remote-updatable data dependency.
Guidance
This skill appears to implement an AI-builders digest, but the documentation and code conflict on whether API keys are required. Before installing: 1) Expect to run Node and npm install the scripts; 2) SUPADATA_API_KEY is actually used by fetch-content.js to retrieve YouTube transcripts — verify you trust supadata.ai and the provider of that key (README's claim of “no API keys needed” is incorrect); 3) If you run the GitHub action or CI, it references an X_BEARER_TOKEN for X/Twitter access — confirm where that token comes from and whether it's required for your deployment; 4) Delivery options (Telegram, Resend) require you to store TELEGRAM_BOT_TOKEN or RESEND_API_KEY in ~/.follow-builders/.env — consider using stdout/on-demand mode to avoid storing delivery credentials; 5) The skill fetches default-sources.json from raw.githubusercontent.com at runtime, meaning the tracked list can be updated remotely by the repository owner — if you are concerned about what accounts are being tracked, inspect the remote file or vendor a local copy instead; 6) If you need greater assurance, review the full scripts (fetch-content.js and generate-feed.js) especially any network calls and the handling of state, or run the code in an isolated environment/container and test with no credentials (stdout mode) first.
Latest Release
v0.1.0
Initial release of follow-builders skill — delivers curated AI builder digests. - Onboards users with platform detection and step-by-step setup for delivery preferences, frequency, language, and channels. - Supports delivery via OpenClaw messaging, Telegram, Email, or on-demand in terminal. - Guides users through Telegram bot/email setup if needed; no extra keys required for "right here" delivery. - Automatically manages source lists for tracked builders and podcasts, updated centrally. - Sets up scheduled jobs (cron) according to user preferences and delivery platform. - Simple config file and user-friendly reminders for managing and changing settings.
More by @zarazhangrui
Published by @zarazhangrui on ClawHub
