Skillv1.0.0

ClawScan security

News Aggregator Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 8, 2026, 2:00 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a news-aggregator purpose, but there are several coherence and operational risks (hidden control characters in SKILL.md, code present but no formal install spec, a proposed crontab/persistence plan, and anti-hallucination rules that still allow fabricated supplements) that warrant caution before installing or granting system privileges.
Guidance: This skill appears to implement what it claims (web scraping + Playwright-based deep fetch + markdown reports) but has several worrying inconsistencies and operational risks. Before installing or enabling it: - Do NOT grant system-level scheduling (crontab) or run suggested cron commands without manual review; the implementation_plan proposes this but it is not present as an installed artifact. Scheduling would allow persistent, autonomous network access. - Treat the SKILL.md as potentially adversarial: remove or inspect any invisible Unicode control characters and any 'magic phrase' triggers (the skill listens for the phrase “如意如意”). - Install and run in a sandboxed environment first (container or VM). Verify dependencies (pip packages and Playwright + Chromium) are installed explicitly; the registry lacks a formal install spec even though scripts need these runtimes. - Audit scripts that launch Playwright and write files (reports/YYYY-MM-DD/) — check file paths and ensure the skill cannot read unrelated user files. MISTAKES.md shows the author previously read files outside the expected path, so confirm the runtime does not search or read arbitrary filesystem locations. - Be aware of the 'Smart Fill' behavior: the skill can supplement missing items (marked with ⚠️) which could lead to fabricated entries; if you need strictly factual output, disable supplementing behavior or require manual review. If you want to proceed: run the code locally in a restricted environment, manually install Playwright and Chromium, inspect all scripts (especially any new scripts that would modify crontab or other system state), and only opt into automation after understanding and approving the exact crontab command and scripts involved.
Findings: [unicode-control-chars] unexpected: The SKILL.md contains detected Unicode control characters. These are not needed for a news-aggregator and can be used to hide or manipulate text/prompts (prompt-injection risk). Review SKILL.md for invisible characters and any hidden instructions before trusting the skill.

Review Dimensions

Purpose & Capability: noteName/description match what the code does: many fetchers, Playwright-based deep fetch, and report generation for 28 sources. The README claims 'zero-config' (no API keys) which aligns with the code (no required env vars), but the project does require system-level dependencies (Playwright + Chromium) not declared in registry metadata — mismatch between claimed 'instruction-only/zero-config' and real installation needs.
Instruction Scope: concernSKILL.md instructs the agent to fetch sites, enrich content, translate to Simplified Chinese, save reports to disk, and run an interactive menu triggered by a magic phrase. It also contains rules that permit 'Smart Fill' supplementation when results are scarce (potentially fabricating items even though other rules say 'Only use data from JSON'), and it mandates always saving reports to reports/YYYY-MM-DD/. MISTAKES.md documents past behavior where the maintainer read arbitrary files (root artifacts) — indicating the runtime workflow has previously included searching the filesystem for data. These broaden the skill's scope beyond pure fetching/formatting and increase risk of unwanted reads/writes or hallucinated output.
Install Mechanism: concernRegistry lists no install spec, but the bundle contains Python scripts that require dependencies and Playwright (README and SKILL.md instruct pip install -r requirements.txt and 'playwright install chromium'). The lack of a formal install entry in registry metadata is inconsistent: users/agents may run code without ensuring dependencies are installed. implementation_plan.md proposes adding a crontab and new scripts (daily_scan.sh, generate_basic_report.py) that are not present in the manifest — this discrepancy is notable and raises risk because scheduling/persistence is being proposed but not implemented in the published package.
Credentials: okNo environment variables, API keys, or config paths are requested in the registry metadata. The code uses public HTTP endpoints and scraping; it does not request secrets. This is proportionate to a news aggregator's purpose.
Persistence & Privilege: noteThe skill as published does not set always:true and does not require model-disable. However implementation_plan.md explicitly asks the user to approve installing a cron job for daily automated scans (this would be a persistence/privilege escalation if installed). That cron proposal appears in a plan file rather than in active code, so it's not yet enforced — still, it's a clear request that would require elevated permission and explicit user approval before being enabled.