Skillv1.0.0

ClawScan security

article-link-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 8:20 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill generally does what it claims (calls pick-read.vip to fetch/paywalled articles), but its metadata, instructions, and code disagree on where the import token comes from and the code disables SSL verification — these inconsistencies and the TLS behavior are concerning.
Guidance: Before installing, be aware of three issues: (1) The skill needs a sensitive Import Token (stored in config.json or in environment variables) but the registry metadata does not declare that — confirm you trust the maintainer and the token provider (pick-read.vip) before supplying credentials. (2) The script deliberately disables TLS certificate verification when calling the API; this creates a risk of network interception (MITM). Ask the author to remove or justify the unverified SSL contexts and use standard verified HTTPS. (3) The skill reads a local config.json (excluded by .gitignore) and will send the import token to pick-read.vip — verify you are comfortable placing a token in that file and that the API base (default pick-read.vip) is the intended endpoint. If you cannot verify those points, do not install or run the skill; request the maintainer to (a) declare the required config/env in registry metadata, (b) stop disabling SSL verification, and (c) document token handling and retention. If you must proceed, avoid giving high-privilege tokens and prefer ephemeral/test tokens; consider restricting autonomous invocation until these issues are resolved.
Findings: [ssl_verify_disabled] unexpected: The code intentionally creates SSL contexts that disable certificate verification (check_hostname=False; CERT_NONE and using _create_unverified_context). This weakens TLS and makes man-in-the-middle interception of requests to the API possible; it is not justified by the stated purpose and is a security risk. [reads_local_config] expected: The SKILL.md and code require reading {baseDir}/config.json to obtain api_base and import_token. That is expected for this service, but the skill registry metadata omitted required config paths/credentials, reducing transparency. [accepts_env_tokens] expected: The script accepts IMPORT_TOKEN and API_BASE from the environment, which is reasonable, but these env vars are not declared in registry metadata (primaryEnv missing).

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (submit paywalled article links to pick-read.vip and return English text) matches the code's network calls to https://pick-read.vip/api. However, registry metadata declares no required config paths or credentials while the SKILL.md and code require a local config.json or IMPORT_TOKEN env var (sensitive credential). The omission in metadata is a mismatch that reduces transparency.
Instruction Scope: concernSKILL.md restricts runtime behavior to invoking python3 scripts/article_link.py and reading {baseDir}/config.json for import_token, which matches the code. That scope is narrow and appropriate for the feature, but the instructions require reading a local config.json (and the code will also accept IMPORT_TOKEN/API_BASE env vars) while the skill registry did not declare that config path or credentials — this mismatch is a scope/visibility problem. The instructions also forbid direct API calls but the code itself makes HTTP requests to the external service.
Install Mechanism: okNo install spec; it's instruction-only with a shipped Python script. No third-party packages or downloads are installed by the skill itself, which is the lower-risk pattern for skills that rely on an existing python3 binary.
Credentials: concernThe skill requires an Import Token to operate (sensitive credential). The registry metadata did not declare a primaryEnv or required env/config path, yet the code reads config.json and also accepts IMPORT_TOKEN and API_BASE environment variables. This mismatch (undocumented credential/config requirement) is disproportionate to the transparency expected and should be declared explicitly before install.
Persistence & Privilege: okalways is false and the skill does not request system-wide persistence or modify other skills. The agent-autonomous invocation setting is the platform default and not itself problematic here.