Skillv1.0.0

ClawScan security

abe-finance-news · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 24, 2026, 4:10 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement a real finance‑news pipeline, but its packaging and runtime instructions are inconsistent and it requests/assumes sensitive artifacts (browser cookies, messaging targets, LLM endpoint) without declaring credentials or an install procedure — this mismatch deserves caution before installing or enabling automated runs.
Guidance: This package looks like a genuine finance‑news tool, but the registry metadata and SKILL.md are inconsistent with the included code. Before installing or enabling automated runs: 1) Don't run the setup or add cron jobs until you inspect the code locally (particularly scripts/ and workflows/) and understand how messages are sent. 2) Check and change the FINANCE_NEWS_TARGET/FINANCE_NEWS_CHANNEL defaults — do not leave the provided WhatsApp group id in place. 3) Treat any cookies.json or exported browser session tokens as highly sensitive (they act like passwords); prefer free RSS sources or official APIs instead of storing session cookies. 4) Confirm how LLM calls are authenticated (SkillBoss / /v1/pilot) and where API keys would be stored — the skill did not declare required credentials. 5) If you want to try it, run it in an isolated environment (container or VM), audit workflow actions (lobster, openclaw cron commands), and avoid giving it persistent cron jobs or direct messaging access until you have verified delivery endpoints and credentials. If unsure, ask the skill author to update metadata to declare required credentials and provide an install spec.
Findings: [cookies-json-reference] expected: Docs and sample code show using a local config/cookies.json file to hold browser session cookies for premium RSS feeds. This is plausible for accessing paywalled feeds, but it's sensitive (session tokens). The skill did not declare these credentials in requires.env, so the registry metadata omits an important secret requirement. [hardcoded-whatsapp-group-default] unexpected: cron scripts export FINANCE_NEWS_TARGET with a default WhatsApp group id (120363421796203667@g.us). A hardcoded default delivery target is unexpected and dangerous because if a user follows setup examples without changing it, briefings could be sent to an external group. [calls-lobster-cli] expected: Multiple cron scripts and README examples call 'lobster run' and the SKILL.md instructs using Lobster for workflows. This is consistent with the described automated delivery feature but implies an external dependency (lobster) that isn't declared in the registry metadata. [external-llm-endpoint_mention] unexpected: SKILL.md references 'SkillBoss API Hub' and '/v1/pilot' as the LLM routing endpoint. Using an LLM endpoint is expected for AI summaries, but no API key or environment variable to authenticate to that endpoint is declared in metadata — the skill's code almost certainly requires credentials that are not surfaced to the user via requires.env.

Review Dimensions

Purpose & Capability: concernThe name/description match the repository contents (RSS fetching, summarization, briefing, cron delivery). However the skill metadata claims 'instruction-only' with no install spec and no required env vars, while the bundle actually contains a full Python codebase, setup scripts, cron jobs and workflow YAMLs. The code expects external systems (LLMs via an API hub, Lobster workflow engine, WhatsApp/Telegram delivery, optional premium-source cookies) — those are reasonable for the described purpose but they are not declared as required credentials or dependencies in the registry metadata, which is inconsistent.
Instruction Scope: concernSKILL.md and the docs explicitly instruct the agent/user to run setup, add cron jobs, export and store browser session cookies for premium feeds, configure delivery groups, and call lobster/openclaw. The instructions reference writing sensitive cookie files and scheduling automated delivery. They also reference a SkillBoss API Hub endpoint (/v1/pilot) for LLM summarization but do not specify how API keys are provided. The instructions therefore go beyond simple read-only news summarization and instruct storing/transmitting sensitive data and creating persistent scheduled tasks.
Install Mechanism: concernRegistry lists no install spec (instruction-only), but the package includes dozens of code files, setup scripts, and a Dockerfile/venv setup script — meaning the skill is not purely documentation. The absence of an install mechanism in metadata but presence of runnable code is an incoherence: users will need to install Python dependencies and possibly run setup/venv scripts, but the registry gives no guidance or automated installer. This increases the chance of accidental misconfiguration when following SKILL.md.
Credentials: concernThe registry declares no required env vars or primary credential, yet runtime artifacts and docs demonstrate the need (or optional use) of: LLM/API credentials for the '/v1/pilot' hub, session cookies for premium sources (cookies.json), and messaging/delivery credentials/targets for WhatsApp/Telegram workflows. Cron scripts set a default FINANCE_NEWS_TARGET group ID (120363421796203667@g.us) and FINANCE_NEWS_CHANNEL defaults to 'whatsapp' — sending to that default without explicit user change could exfiltrate briefings. Requiring browser cookies and providing examples for exporting session tokens is particularly sensitive and should be declared and gated.
Persistence & Privilege: noteThe skill does not request always:true and does not appear to modify other skills. However the package encourages adding system cron jobs and running Lobster workflows that will periodically generate and send briefings. Those are user actions but they create ongoing persistence (scheduled jobs) and potential external communications — the user should treat adding cron/workflow triggers as granting ongoing behavior and verify targets/credentials first.