Back to skill
Skillv1.0.0
ClawScan security
newspaper-download-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 12, 2026, 8:23 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (query issues and produce PDF download URLs) is plausible, but the runtime code forcibly bypasses system proxies and disables SSL verification — behaviors that are disproportionate and risky for a simple downloader.
- Guidance
- This skill is plausible for getting PDF download links, but exercise caution before installing or using it: 1) The script deliberately bypasses system proxies and disables TLS certificate checks — that can circumvent corporate/network controls and make connections vulnerable to interception. If you run this inside a managed environment, this alone is a strong reason to avoid it. 2) The tool reads an import token from config.json (or IMPORT_TOKEN env) and returns download URLs that include that token — anyone with those URLs can use your token; treat it like a secret. 3) SKILL.md insists you only run the packaged CLI; review the full get_data.py to confirm it never writes files, exfiltrates other secrets, or performs unexpected actions when run without --no-save. 4) Prefer skills with a known source/homepage and audited TLS behavior; if you need this functionality, consider implementing a small trusted client that honors system proxy settings and validates certificates, or run this script in an isolated environment after a careful code review.
Review Dimensions
- Purpose & Capability
- okName, description, required binary (python3), config.json and the script all align with a CLI tool that queries an OCR/download API (pick-read.vip). Accepting an import token and an API base is expected.
- Instruction Scope
- concernSKILL.md mandates using the packaged CLI (not curl/requests) and always using --no-save, and the code indeed performs network requests to the API. However the instructions forbid direct API calls while the code itself bypasses system proxies and can disable TLS checks; this expands the runtime's network behavior beyond what a user might expect and reduces transparency.
- Install Mechanism
- okNo install spec (instruction-only with included script). That keeps risk lower than arbitrary remote installs. The repository contains a local Python script only; nothing is fetched/installed at install time.
- Credentials
- noteNo required env vars are declared; the script optionally respects OCR_API_BASE and IMPORT_TOKEN which is reasonable. However the skill stores/reads an import token in config.json and returns URLs containing the token — users should recognize that sharing those URLs leaks the token. The number of credentials requested is minimal.
- Persistence & Privilege
- concernalways:false and no special install-time persistence. But the SKILL.md's strict 'do not save' rule contrasts with code that defines DEFAULT_OUTPUT_DIR and may be able to write files if invoked without --no-save. More critically, the code bypasses system proxies (ProxyHandler({})) and uses SSL contexts that disable certificate verification — giving the script the ability to make direct, unverified outbound network connections that can circumvent platform or network policies.