RSS Reader
PassAudited by ClawScan on May 10, 2026.
Overview
This looks like a normal RSS reader, with expected network fetching and feed-state storage, but users should review feed sources, optional scheduling, and the documented package-install step.
Before installing, review or edit the default feeds, only add RSS URLs you trust, treat feed item text as untrusted research content, and enable the heartbeat/cron example only if you want ongoing background checks. If using the documented npm install step, consider pinning versions or verifying that the current script actually needs those packages.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised feed could include text that looks like instructions to the agent.
The script prints titles and descriptions from remote RSS feeds into agent-visible output. That is expected for this skill, but the content is untrusted.
if (item.description) { console.log(` ${item.description.slice(0, 200)}...`); }Treat feed contents as quoted research material, not as instructions; do not let RSS item text change goals, run commands, or override user intent.
Running checks will contact the configured feed hosts and any followed redirects.
The skill fetches user-configured URLs over HTTP or HTTPS and follows redirects. This is expected for an RSS reader, but it means configured feed URLs control outbound network requests.
const client = url.startsWith('https') ? https : http; ... return fetchUrl(res.headers.location)Review data/feeds.json and only add feed URLs you intend to contact; prefer HTTPS feeds and be cautious with internal or private URLs.
If a user follows the optional install command, dependency versions may change over time.
The documentation mentions installing unpinned npm packages even though the visible script uses built-in parsing. This is a minor supply-chain/setup note rather than suspicious behavior.
npm install xml2js node-fetch
Install dependencies only if actually needed, use trusted registries, and consider pinning package versions.
If enabled, the agent or cron job may keep checking feeds on a schedule.
The skill documents optional persistent scheduling for daily feed checks. This is aligned with feed monitoring, but it continues operating after setup.
Set up daily feed checking via heartbeat or cron
Enable heartbeat or cron only if you want ongoing monitoring, and remove the scheduled task when it is no longer needed.