📰 RSS AI 阅读器 — 自动抓取订阅、LLM生成摘要、多渠道推送! 支持 Claude/OpenAI 生成中文摘要,推送到飞书/Telegram/Email。 触发条件: 用户要求订阅RSS、监控博客、抓取新闻、生成摘要、设置定时抓取、 "帮我订阅"、"监控这个网站"、"每天推送新闻"、RSS/Atom feed 相关。
Security Analysis
high confidenceThe skill's stated purpose (RSS -> LLM summaries -> push) is plausible, but the runtime instructions tell the agent to clone and run external code and rely on sensitive env vars that the skill metadata did not declare — this mismatch and the implied arbitrary-code execution are concerning.
The described capability (fetch RSS, summarize with Claude/OpenAI, push to Feishu/Telegram/Email) matches the instructions and config examples. However, the skill metadata declares no required environment variables or credentials, while the SKILL.md and config_guide explicitly expect LLM API keys and push-channel secrets (ANTHROPIC_API_KEY / OPENAI_API_KEY, FEISHU_WEBHOOK, TELEGRAM_BOT_TOKEN, EMAIL_PASSWORD). That discrepancy (metadata says none required but instructions require multiple secrets) is a mismatch that reduces trust.
The SKILL.md directs the agent to run shell commands that clone a third-party GitHub repo and execute python main.py after installing requirements. These instructions cause the agent (or the user following them) to download and execute arbitrary code, install Python packages, and supply API keys — actions that go beyond simple, self-contained instruction text and enable arbitrary network access and data handling by external code.
There is no formal install spec inside the skill, but the runtime instructions instruct cloning https://github.com/BENZEMA216/rss-reader.git and running pip install -r requirements.txt. That means code and dependencies will be pulled from an external repo and from PyPI at runtime — a higher-risk install flow because the skill bundle itself does not include or vet that code.
The SKILL.md and config guide expect several sensitive environment variables and secrets (Anthropic/OpenAI API keys, Feishu webhook, Telegram bot token & chat id, email SMTP credentials). The skill metadata declared none. Requiring multiple credentials is proportionate to the claimed push/LLM functionality, but the absence of these declared requirements in metadata is an incoherence and hides the fact that secrets must be provided. Supplying these secrets to code downloaded at runtime increases risk of accidental exfiltration.
The skill is not marked always:true and does not request system-wide config paths in metadata. Autonomous invocation (disable-model-invocation: false) is the platform default and not a standalone concern. However, because the instructions cause external code to be executed, that code could create persistent state — the metadata does not document any such persistence.
Guidance
This skill's functionality is plausible, but it asks you (via instructions) to clone and run a third‑party GitHub project and to provide multiple sensitive keys/webhooks — while the skill metadata claims no required env vars. Before installing or using it: 1) inspect the referenced GitHub repo and its main.py/requirements to confirm behavior and check for network/exfiltration code; 2) prefer the skill bundle to include audited code or a trusted release URL rather than an arbitrary clone; 3) avoid reusing high‑privilege API keys (use keys with minimal scopes or dedicated service accounts); 4) run the code in a sandbox/container or review dependency versions in requirements.txt; 5) if you cannot audit the repo, do not provide production secrets. If the publisher supplies the included code directly in the skill (or documents a vetted release and explicitly lists required env vars in metadata), my concern level would drop.
Latest Release
v1.0.0
- 首次发布 RSS AI 阅读器:自动抓取 RSS/Atom 订阅,利用 Claude/OpenAI 生成中文摘要,并多渠道推送(飞书、Telegram、Email)。 - 配置简单,支持定时任务和 SQLite 去重,避免重复推送。 - 命令行支持单次执行、定时任务和查看统计信息。 - 详细文档与配置示例,便于快速上手。
More by @BENZEMA216
Published by @BENZEMA216 on ClawHub
