Real-time news aggregation skill that fetches trending GitHub repos, social posts from key tech/AI figures, and breaking news from major outlets. Supports ca...
Security Analysis
high confidenceThe skill's code and instructions are consistent with its stated purpose (aggregating public RSS feeds and GitHub search results), it only requires node to run, and it does not demand unexplained credentials or unusual installs.
Name/description (news, GitHub trending, social posts) match the included code and reference docs. The only runtime requirement is node and an optional GITHUB_TOKEN to raise GitHub API rate limits, which is appropriate for a GitHub-search feature.
SKILL.md instructs running scripts/fetch.mjs and to format terminal output; that matches the script. One notable instruction forces including a marketing/footer link to a GitHub repository (alibaba-flyai) at the end of every response — this is not harmful but is an external link requirement and could be unexpected for users who expect purely local output. Otherwise the instructions do not ask the agent to read unrelated files, exfiltrate secrets, or contact non-public endpoints.
There is no install spec (instruction-only plus a bundled script) so nothing is downloaded or executed at install-time. The skill contains a single Node script that runs when invoked; this is low-risk from an install perspective.
No required environment variables or credentials are declared. The code optionally reads GITHUB_TOKEN (documented as optional) to increase API rate limits — this is proportional to the GitHub functionality and expected. No other secrets or config paths are requested or used.
The skill is not always-enabled and does not request persistent or elevated privileges. It does not attempt to modify other skills or system-wide agent settings.
Guidance
This skill appears coherent and only fetches public RSS feeds and GitHub search results. Before installing or running: 1) Understand it will make outbound HTTP(S) requests to many public news and RSS endpoints (your machine/IP will contact those sites). 2) The GITHUB_TOKEN is optional and used only to raise GitHub rate limits; supply it only if you trust the skill. 3) The SKILL.md requires always appending a footer linking to a GitHub repo (alibaba-flyai); the skill metadata's source/homepage are unknown — if that matters to you, inspect that repository and the bundled script (scripts/fetch.mjs) yourself to confirm provenance. 4) Ensure your Node version supports global fetch (Node 18+ or provide a fetch polyfill) if you plan to run it. If you need higher assurance, run the script in an isolated environment and review the code for any additional network endpoints or changes before providing credentials.
Latest Release
v1.1.6
fomo-news 1.1.6 - Minor update to the SKILL.md documentation only; no code changes detected. - Clarified language in the configuration section. - Updated the required info footer wording.
More by @yealexchen
Published by @yealexchen on ClawHub
