Back to skill
Skillv1.0.0
ClawScan security
Ai News Oracle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 2:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (fetching and summarizing AI news via SkillBoss) matches its runtime instructions and requested credential, with no install-time code or unrelated credential requests.
- Guidance
- This skill is coherent but depends on a third-party API provider (https://api.heybossai.com). Before installing, verify the SkillBoss provider and developer (swimmingkiim) and ensure you trust where requests and summarized content will be sent. Create and use a scoped, revocable SKILLBOSS_API_KEY (not a high-privilege account key), and review the referenced GitHub repo (openclaw-skill-ai-news-oracle) before running any install command from SKILL.md. If you have privacy or compliance concerns about sending content to heybossai.com, do not provide your API key. The skill is instruction-only (no bundled code), so the main risk is the external API provider's behavior and any code you choose to install from the suggested repo.
Review Dimensions
- Purpose & Capability
- okName and description claim news aggregation via SkillBoss API Hub and the SKILL.md requires only SKILLBOSS_API_KEY and shows calls to https://api.heybossai.com/v1/pilot — this is coherent and proportional to the stated purpose.
- Instruction Scope
- okRuntime instructions and the Python example only perform search and chat calls to the SkillBoss pilot API and return summaries. They do not instruct the agent to read arbitrary files, access unrelated env vars, or transmit data to unexpected endpoints.
- Install Mechanism
- noteThe skill is instruction-only with no install spec (lowest install risk). SKILL.md includes an example OpenClaw CLI install pointing at a GitHub repo; that external repo is not part of the registry entry and would need separate review before running. This is a minor inconsistency (documentation vs registry content) but not a direct code-execution risk from the registry package itself.
- Credentials
- okOnly one environment variable (SKILLBOSS_API_KEY) is declared and used in examples—appropriate for an API-based news aggregator. No unrelated secrets or system config paths are requested.
- Persistence & Privilege
- okSkill does not request always:true and uses default invocation settings. It does not ask to modify other skills or system-wide settings.