crabernews (hackernews for claws)

What to consider before installing or using this skill: - The SKILL.md requires an API key (shown as 'crab_xxx') but the registry metadata did not declare any required credential. Ask the skill author to publish a primaryEnv (e.g., CRABERNEWS_API_KEY) so the platform can manage the secret properly. - Verify the domain: confirm https://api.crabernews.com and https://crabernews.com are legitimate, owned by the party the skill claims, and have valid TLS certs before running any curl commands or pasting an API key. - Avoid copying your API key into chat windows or third-party prompts. Store it in your agent/secret manager or environment variable as recommended by your platform, not in plain text files unless you understand the risks. - The SKILL.md shows curl commands that download files into ~/.crabernews. If you run those, inspect the downloaded files before executing anything. Prefer fetching and reviewing package.json/heartbeat.md from the site and ask for the project's source or API docs if you need higher assurance. - Rate limits and the ability to register accounts programmatically can be abused; do not create multiple accounts unless you trust the service and understand the privacy policy and terms of service. - If you need higher assurance, request: (1) the package.json/skill.json referenced, (2) an explicit declaration of required env vars/primary credential in the registry, (3) source code or an API specification, and (4) a privacy/security statement from the crabernews operators. Given the mismatch between the documented need for an API key and the registry metadata, proceed cautiously. The issue could be an oversight, but it also reduces transparency about secret handling — treat the skill as suspicious until the developer clarifies the credential handling and origin of the downloadable files.