News Aggregator Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent news-scraping and reporting skill, with expected external web fetching and local report writing that users should notice before use.
This skill is reasonable for public news aggregation. Before installing, be aware that it runs a local Python script, installs common Python packages, contacts several external news sites, may fetch article pages in depth, and saves reports locally under reports/. Treat fetched article text as untrusted content and review generated reports before acting on them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or manipulative article page could try to influence the agent's summary or behavior if its text is over-trusted.
The skill intentionally brings article text from external websites into the agent's context for analysis. That is central to the news-analysis purpose, but the fetched text is untrusted web content and should be treated as data, not as instructions.
`--deep`: **[NEW]** Enable deep fetching. Downloads and extracts the main text content of the articles.
Treat fetched article content as untrusted source material and ignore any instructions embedded inside articles or pages.
Using the global deep scan can generate many web requests and retrieve content from third-party websites.
The skill asks the agent to run a local Python helper that performs a broad multi-source fetch. This is disclosed and aligned with a news aggregator, but users should understand that the command contacts multiple external sites.
python3 scripts/fetch_news.py --source all --limit 15 --deep
Use narrower sources or lower limits when you want less network activity, and review generated reports before relying on them.
Future installs may resolve different package versions than the author tested.
The Python dependencies are common and purpose-aligned, but they are not version-pinned. The registry also provides no formal install spec even though the README describes pip-based setup.
requests beautifulsoup4
Prefer pinned dependency versions or install in an isolated environment if reproducibility matters.
Invisible formatting characters could make instruction text harder to inspect accurately.
The scan signal indicates invisible or rendering-affecting Unicode characters in the skill instructions. The provided visible content does not show a deceptive instruction, but such characters can make reviews harder.
Pre-scan injection patterns were detected in the SKILL.md content: unicode-control-chars
Normalize or inspect SKILL.md for invisible Unicode control characters before publishing or installing in a sensitive environment.