Skillv1.0.0

ClawScan security

World News Aggregator Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 8, 2026, 3:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with a news-aggregation purpose: it fetches RSS/Atom/HTML feeds, requires no credentials, and its included script behavior matches the README/SKILL.md apart from minor implementation details.
Guidance: This skill appears coherent for fetching and formatting public news feeds. Points to consider before installing: 1) The README promises 'AI summaries' but the included script only fetches/truncates feed text — make sure your agent or environment will perform summarization if you expect that feature. 2) The script will auto pip-install dependencies if missing, which triggers network access and writes packages to the environment — run in a sandbox or virtualenv if you want to avoid system-wide installs. 3) The skill fetches many external feeds (including government and foreign sites); feeds can contain links or content you may not want to display — review and restrict sources if needed. 4) Verify the upstream repository/author if you require provenance (the package references a GitHub repo); otherwise review code yourself before running. If any of these are concerns, run the script in an isolated environment or decline installation.

Review Dimensions

Purpose & Capability: noteThe skill claims 'AI 智能摘要' (AI-powered summaries) and 'zero-config' in SKILL.md/README, but there is no code calling an external summarization API or model. The fetch-news.py collects and truncates feed summaries but does not perform automated ML summarization itself — that work is presumably intended to be done by the OpenClaw agent using the fetched text. Otherwise, requested files and dependencies (requests, feedparser, bs4) align with a news aggregator.
Instruction Scope: okRuntime instructions and the script only fetch public feeds, parse them, and format output. The SKILL.md/README do not instruct reading unrelated files or environment variables. Note: scripts/fetch-news.py will attempt to pip-install requirements at runtime if imports are missing, which causes network access and package installation when the script runs.
Install Mechanism: noteThere is no platform install spec; README suggests adding via npx/git clone. The only automated install behavior is fetch-news.py invoking pip to install requirements if imports are missing. Dependencies are standard PyPI packages (requests, feedparser, beautifulsoup4, etc.), not downloads from unknown personal servers or shorteners.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The script uses rotating User-Agent headers but does not access secrets or other system config. Required permissions are proportionate to fetching public web content.
Persistence & Privilege: okThe skill does not request always:true or modify other skills. It is user-invocable and can be invoked autonomously by the agent (default), which is normal for skills.