ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TechSnif — Tech News Intelligence CLI

v1.0.4

Query TechSnif tech news intelligence via bundled CLI. Continuously updated articles across AI, Startups, Venture, and Robotics. Use when asked about tech ne...

0· 122·0 current·0 all-time
by@coffeefuelbump
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description say this is a CLI to query TechSnif public news API. The skill provides a bundled Node CLI script and SKILL.md instructs using that script. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are narrow and prescriptive: run the included Node script with specific commands and --json, check the 'ok' field, and use slugs to fetch articles. The SKILL.md does not instruct reading unrelated files, exporting secrets, or contacting unknown endpoints; it identifies api.techsnif.com as the target environment.
Install Mechanism
There is no install spec (lowest install risk). However, the skill includes a ~143 KB bundled CommonJS script (scripts/techsnif-cli.cjs) that will be executed by Node when invoked. Executing bundled third-party code is expected for an npm-based CLI but carries the usual risk that the script could perform network or local operations beyond those documented; the SKILL.md claims no remote downloads.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportional to a public, read-only news CLI.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent elevated presence or modify other skills' configs. Autonomous invocation (disable-model-invocation false) is the platform default and not a standalone concern.
Assessment
This skill appears coherent: it bundles a Node CLI and the instructions tell the agent how to run it against TechSnif's public API. Before installing or running it, review scripts/techsnif-cli.cjs (or have someone you trust review it) to confirm it only calls the documented API endpoint(s) (api.techsnif.com) and does not access local files, environment variables, or unexpected remote hosts. If you cannot inspect the code yourself, run the CLI in a restricted sandbox/container or with network monitoring to verify its network calls. Because the skill executes bundled JavaScript, treat it like installing any third‑party CLI package and exercise the same caution.
scripts/techsnif-cli.cjs:1819
Shell command execution detected (child_process).
scripts/techsnif-cli.cjs:3556
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ct6ztxc8dcw7yva0t0henpd832mqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments