Generate media & entertainment industry news digests. Covers Hollywood trades (THR, Deadline, Variety), box office, streaming, awards season, film festivals,...
Security Analysis
high confidenceThe skill's code, runtime instructions, and requested environment access are consistent with a news-digest that fetches RSS/Twitter/Reddit/web results and posts digests via Discord/email — nothing appears disproportionate or unrelated to that purpose.
Name/description (media news digest) matches the included scripts (fetch-rss, fetch-twitter, fetch-reddit, fetch-web, merge, summarize, generate-pdf, send-email). Declared binaries (python3) and optional email senders are appropriate for the task; required env vars (Twitter / Brave / Tavily keys) listed in SKILL.md are the credentials you would expect for the described data sources.
SKILL.md instructions are scoped to collecting sources from declared feeds/APIs, merging/deduplicating, generating a report, and delivering via Discord/email. It explicitly reads workspace config overrides and the skill archive to avoid duplicates — that is reasonable for a pipeline that must dedupe and resume. No instructions tell the agent to read unrelated system files, exfiltrate arbitrary data, or contact unexpected endpoints (all external APIs mentioned are search/Twitter providers or the user's mail delivery tool).
There is no platform-level install spec (install steps are not included), but the repo includes runnable Python scripts and a requirements.txt. This is low risk but means the operator must install Python dependencies themselves. Minor inconsistency: email templates reference a 'gog gmail send' CLI while the pipeline uses send-email.py / system mail (msmtp) — the repo documents multiple delivery options but does not declare the 'gog' tool in optionalBins.
Environment variables declared (X_BEARER_TOKEN, TWITTERAPI_IO_KEY, BRAVE_API_KEY(S), TAVILY_API_KEY) map to the declared integration backends. No unrelated credentials (AWS, SSH keys, database passwords) are requested. Email delivery relies on system mail or optional tools; the repo states it does not write credentials to disk. This access is proportionate to the skill's functionality.
Skill is not marked always:true and does not request elevation or modification of other skills. It reads and writes within its workspace archive/config paths per its stated purpose (archiving reports, reading workspace overrides). Autonomous invocation (default) is allowed but is the platform norm and not by itself a red flag.
Guidance
This skill appears coherent and intended for the stated purpose, but review these before installing: (1) When you provide API keys (Twitter/Brave/Tavily), use least-privilege / dedicated keys and store them in your environment or workspace config, not in the repo. (2) Inspect send-email.py / your mail delivery configuration: decide whether you'll use msmtp/system mail or an external CLI (the templates reference 'gog gmail send' but that tool isn't declared). Make sure your mail client is configured securely. (3) The skill reads <WORKSPACE>/archive/... and <WORKSPACE>/config/... — confirm you are comfortable the agent will access those workspace paths. (4) If you plan to allow automated, scheduled delivery, audit who receives those digests and any channel IDs configured. (5) If you want extra assurance, run the pipeline locally first (pip install -r requirements.txt) and review the send-email.py and any network-call code (fetch-* scripts) to confirm endpoints and retry/error handling. Overall the skill is internally consistent; these are operational checks rather than blockers.
Latest Release
v2.1.1
Fix SKILL.md: 65 sources, all env vars, 14 scripts, quality score display, article enrichment, Tavily/Brave multi-key, PDF email
More by @dinstein
Published by @dinstein on ClawHub
