ClawHub
Back to skill
v1.0.4

Noticias Cangrejo

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:42 AM.

Analysis

This skill coherently fetches GNews articles for a user topic and outputs a Markdown digest; the main things to notice are expected API-key use, optional file writing, and a minor version metadata mismatch.

GuidanceThis skill appears reasonable to install if you want GNews-based digests. Set the GNEWS_API_KEY only through a secure environment or dashboard setting, avoid committing it to files, and be deliberate when using --output so you do not overwrite an important file. Also note the registry/_meta version mismatch and verify package contents if strict provenance matters.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/fetch_news.py
with open(args.output, "w", encoding="utf-8") as handle:

The optional --output parameter writes the Markdown digest to a caller-selected path. This is purpose-aligned, but it can overwrite the selected file if used carelessly.

User impactIf the agent or user chooses an existing file path for --output, the generated digest could replace that file's contents.
RecommendationUse --output only with an intended safe path, preferably a new file in the working directory.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
_meta.json
"version": "1.0.1"

The registry metadata for the evaluated skill lists version 1.0.4, while the packaged _meta.json lists 1.0.1. The behavior still appears coherent, but the mismatch can confuse provenance or version tracking.

User impactIt may be harder to confirm exactly which package version is installed from metadata alone.
RecommendationVerify the installed package contents and prefer a package whose registry and internal metadata versions match.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/fetch_news.py
"apikey": api_key,

The script sends the user's GNews API key as part of the GNews API request parameters. This is necessary for the service and is disclosed, but it still uses a user credential and may consume quota.

User impactYour GNews API key will be used to make news-search requests, which can affect your GNews account limits or billing depending on your plan.
RecommendationProvide the key through environment/dashboard configuration, do not hardcode it in files, and monitor GNews usage if quota or billing matters.