Skillv1.0.0

ClawScan security

Danish News Aggregator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly matches its stated purpose (aggregating Danish RSS feeds) but contains several implementation inconsistencies and a security-relevant runtime choice (disabled SSL verification) that deserve attention before you run it.
Guidance: This skill appears to do what it claims (aggregate Danish RSS feeds), but review and fix a few things before running it on a production system: 1) The aggregate_feeds.py file disables SSL certificate verification (ctx.verify_mode = ssl.CERT_NONE). Either remove that code or ensure you trust your environment — running with verification disabled exposes you to MITM attacks. 2) aggregator.py contains a malformed feed entry in the sports list (a broken URL/string) — expect runtime errors or skipped feeds; test in a safe environment and correct the feed list. 3) SKILL.md suggests building a Docker image but no Dockerfile is provided; if you want containerized deployment, add a Dockerfile or use the cron example. 4) Because the scripts fetch many external URLs, run them in a network-restricted or monitored environment until you confirm behavior. 5) If you will expose generated feeds publicly, confirm the feed source attributions and that you comply with the source sites' terms of service. If the author can provide an updated release that removes disabled SSL verification, fixes the malformed feed entry, and includes a Dockerfile (or clarifies intended run mode), my confidence would increase.

Review Dimensions

Purpose & Capability: noteName/description align with the code and bundled feed lists: the scripts fetch RSS feeds, deduplicate and produce combined feeds. However there are small mismatches: SKILL.md suggests Docker hosting (docker build/run) but no Dockerfile is included; SKILL.md promises auto-refresh every 15 minutes but the provided aggregator.py is a one-shot script (no long-running scheduler) — though SKILL.md also shows a cron example which is reasonable. Output locations differ: SKILL.md claims output/ directory (correct for aggregator.py) while aggregate_feeds.py writes combined_danish_news.xml next to the script. These are likely engineering oversights, not deliberate misdirection.
Instruction Scope: concernRuntime code performs exactly the expected network I/O (fetching many external RSS URLs). However aggregate_feeds.py creates an SSL context that disables certificate verification (ctx.check_hostname = False; ctx.verify_mode = ssl.CERT_NONE) which weakens transport security and can facilitate man-in-the-middle attacks. aggregator.py contains a malformed feed entry in the sports list (corrupted string/URL) indicating a bug that could crash or skip sources. SKILL.md's Quick Start asks to run python3 aggregator.py and to pip install feedparser and python-dateutil (correct for aggregator.py). No instructions ask for unrelated files, credentials, or external endpoints beyond RSS sources.
Install Mechanism: okThere is no install spec; this is instruction-plus-code that relies on standard Python packages. SKILL.md suggests installing feedparser and python-dateutil via pip — reasonable and proportional. No downloads from unknown hosts or archive extraction are present. The absence of a Dockerfile (despite Docker build instructions) is an inconsistency but not an installation security risk by itself.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths beyond editing feeds.json — appropriate for an RSS aggregator. Network access to the listed RSS URLs is expected and necessary for function.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or system-wide configuration. It writes generated feed files to an output directory (aggregator.py creates output/) and a combined XML file is included — normal behavior for a feed generator.