Skillv1.0.1

ClawScan security

AI Weekly Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 2:09 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (collecting AI news from listed sites and producing a Markdown report); it is an instruction-only skill that requests no credentials or installs.
Guidance: This skill is internally consistent: it will use a WebFetch-like tool to read articles from the listed sites and produce a Markdown report, and it asks the user for a date range (max one month). Before installing/using: 1) Be aware the skill will access external websites — ensure you are comfortable with the agent fetching those URLs. 2) The Feishu wiki link may require authentication; the skill does not request credentials and will report inaccessible pages if any. 3) The skill may save a file to the current directory if file operations are supported — confirm you want the agent to write files there. 4) Because it is an autonomous-capable skill (default), only enable it if you trust the agent to access the web on your behalf. If you want extra caution, run it with a short date range or ask it to only produce output without saving files.

Review Dimensions

Purpose & Capability: okName/description (AI 周报总结) aligns with instructions: fetch articles from the listed AI news sites, extract title/date/key points, group by event, and produce a Markdown report. The skill declares no extra binaries, env vars, or config paths, which is consistent with a scraping/summary task.
Instruction Scope: noteInstructions explicitly limit data sources to the provided list and require a user-specified date range (max one month). Runtime steps only mention using a WebFetch tool to read article pages and optionally saving a Markdown file. One caveat: one listed source is an internal Feishu wiki URL which often requires authentication; the skill does not request credentials and correctly says to record and notify the user if a page is inaccessible.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes surface risk because nothing is written to disk or downloaded by the skill itself during install.
Credentials: okThe skill requests no environment variables or credentials. That is proportionate to its stated function. Note that some listed sources (e.g., Feishu wiki) may be behind authentication in practice; lack of credentials means those sources will simply fail to fetch (which the instructions account for).
Persistence & Privilege: okalways is false and the skill is user-invocable. The only persistence action described is optionally saving the generated Markdown to the current directory — a reasonable behavior for a report generator and not an elevated privilege.