📦 hfnews — IT安全资讯

v1.0.0

聚合多源 IT 与网络安全新闻，自动过滤政治、体育等无关内容，可自定义黑名单，精准推送高价值资讯。

0· 705·2 当前·2 累计

by @huberteff

数据分析网络工具自动化安全

下载技能包

最后更新

2026/4/22

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

high confidence

The skill's description (simple news fetcher) loosely matches the included code, but the package omits required runtime dependencies and install/run instructions and includes sloppy/malformed feed URLs — the bundle is inconsistent and needs clarification before use.

评估建议

This package contains runnable code but is inconsistent with its metadata and README. Things to consider before installing or running it: - Dependencies: fetcher.js requires Node and the 'puppeteer' package plus a Chromium binary at /usr/bin/chromium; scripts/news.py requires Python 3. The skill metadata declares no required binaries — verify you are prepared to install these and that you trust the author. - Installation ambiguity: there is no install or run instruction. You will likely need to ...

详细分析 ▾

⚠ 用途与能力

The skill claims a simple news fetcher and lists no required binaries or env vars, but the bundle contains Node code (puppeteer) that expects a Chromium binary at /usr/bin/chromium and a Python RSS script — the registry metadata does not declare Node, Chromium, or Python as requirements. A legitimate news fetcher would either be instruction-only (call a known CLI) or declare these dependencies; the omission is incoherent.

⚠ 指令范围

SKILL.md shows a single 'news' command and example categories but does not tell which file to run or how to install dependencies. The included fetcher.js performs full headless-browser scraping (expected for some scrapers) and the Python script fetches RSS feeds. Neither the SKILL.md nor the metadata instructs the agent to install node modules, provide a Chromium binary, or which script is the canonical runtime — this ambiguity grants the agent broad discretion and could lead to unexpected actions.

⚠ 安装机制

There is no install spec despite package.json/package-lock and a heavy puppeteer dependency. Puppeteer typically requires downloading/using a browser binary (or a system Chromium); fetcher.js hardcodes '/usr/bin/chromium' and uses --no-sandbox flags. The lack of an explicit, safe install procedure and the large transitive dependency tree in package-lock increases operational risk (unexpected heavy installs, privileged flags).

✓ 凭证需求

The skill requests no environment variables, credentials, or config paths. The code does not try to read secrets or external tokens. Network access is used only to fetch news sources listed in SKILL.md, which is consistent with the stated purpose.

✓ 持久化与权限

Registry flags are default (always:false, agent invocation allowed). The skill does not request elevated persistent presence or modify other skills/configs. No 'always: true' or other high-privilege behavior is present.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/14

Hubert's news skill with stopwords filter for IT/Cybersecurity

● 可疑

安装命令

点击复制

官方npx clawhub@latest install hfnews

镜像加速npx clawhub@latest install hfnews --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库