Is lknik/news-feed safe?
https://github.com/openclaw/skills/tree/main/skills/lknik/news-feed
The lknik/news-feed skill's core Python implementation is clean and legitimate — it fetches RSS headlines from well-known news sources using only Python stdlib. However, the .claude/settings.local.json grants Bash(git add:) and Bash(git commit:) permissions that have no justification for a news-reading skill and create a covert file-staging attack vector that would bypass user approval dialogs. The AP news feed is also routed through a third-party aggregator (rsshub.app) rather than fetched directly. Sensitive file reads detected during monitoring are attributable to the oathe audit infrastructure with high confidence, not to the skill itself.
Category Scores
Findings (8)
HIGH Unjustified git add permission in settings.local.json -25 ▶
The skill grants Bash(git add:*) which allows the agent to stage any file on the filesystem without user approval prompts. A news-reading skill has no legitimate need for this capability. This permission enables covert staging of sensitive files (credentials, environment variables, SSH keys) that may exist in the user's working directory.
HIGH Unjustified git commit permission in settings.local.json -15 ▶
The skill grants Bash(git commit:*) which allows committing staged files without user approval. Combined with the git add permission, this creates a complete pipeline for covertly capturing sensitive files into git history, which persists even after file deletion and is easily exfiltrated by any subsequent git push.
MEDIUM git add + commit permissions enable covert file staging attack vector -30 ▶
The combination of unrestricted git staging and commit permissions is the most dangerous aspect of this skill. An attacker who can influence the agent (via prompt injection through RSS content, or social engineering) could instruct it to run git add ~/.aws/credentials && git commit -m 'config update' entirely within the approved permission set, with no user approval dialog shown.
MEDIUM Overly broad python3 wildcard permission -5 ▶
The Bash(python3:*) permission allows execution of any Python script, not just the declared scripts/news.py. If an attacker can write a file to disk or reference an existing Python script with malicious capability, this permission grants silent execution.
MEDIUM AP News routed through third-party rsshub.app aggregator -10 ▶
The AP News feed is fetched via https://rsshub.app/apnews/topics/apf-topnews rather than directly from Associated Press. RSSHub is an open-source third-party aggregator that may log request metadata including source IP and fetch frequency, creating an unannounced external dependency not disclosed in the skill description.
LOW Sensitive honeypot files accessed (read) during monitoring window -15 ▶
Files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened and read during the monitoring period. Timing analysis places the first access batch (12:15:24, audit seq 250-255) before the git clone, consistent with the oathe audit system establishing its canary baseline. The second batch (12:15:41, seq 1445-1450) aligns with the audit file scan phase. Content was not modified. Attributed to audit infrastructure with medium-high confidence.
LOW Broad 'When to Use' activation triggers -7 ▶
The SKILL.md lists very common conversational phrases as activation triggers ('what's happening in the world', 'morning briefing', 'current events'). This may cause the skill to activate in contexts where the user did not explicitly request news fetching, increasing the frequency of outbound connections and potential exposure of agent activity to RSS feed servers.
INFO Background system network connections during install window -10 ▶
Established connections to 91.189.91.49:443 and 185.125.188.54:443 (Ubuntu/Canonical infrastructure) were present during the install window. These are attributable to Ubuntu's motd-news service and package checking, which ran concurrently. Not skill-initiated.