Back to skill
Skillv0.2.3
ClawScan security
Miniflux Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 16, 2026, 1:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, required binaries, and environment variables match its stated purpose (a Miniflux REST API CLI); nothing requests unrelated secrets or performs unexpected operations.
- Guidance
- This skill appears to do exactly what it says: it runs a Python CLI that calls your Miniflux instance using MINIFLUX_URL and MINIFLUX_TOKEN. Before installing or using it: 1) Ensure MINIFLUX_TOKEN is limited to the Miniflux account you expect (treat it like any API token). 2) Confirm MINIFLUX_URL points to your trusted Miniflux instance (the README contains an example public host — change it). 3) If you want extra assurance, review the included scripts (miniflux-cli.py and miniflux.sh) and verify the 'miniflux' Python package on PyPI is the official client. 4) Note installation is manual (no automatic installers); follow your environment's best practices for installing Python packages. Overall, nothing in the package requests unrelated credentials or performs suspicious I/O.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (python3), and required env vars (MINIFLUX_URL, MINIFLUX_TOKEN) align with a Miniflux REST API client/CLI; the included Python CLI and bash wrapper are consistent with the stated functionality.
- Instruction Scope
- okSKILL.md instructs installing the official Python miniflux client and running the provided shell wrapper or Python script. Runtime instructions only reference MINIFLUX_URL and MINIFLUX_TOKEN and the Miniflux API endpoints; the scripts do not read unrelated system files or exfiltrate data to unknown endpoints. Minor note: SKILL.md recommends 'uv pip' in examples but 'uv' is not declared as a required binary — this is a documentation convenience, not harmful.
- Install Mechanism
- okThere is no automated install spec (instruction-only), and the script relies on the public 'miniflux' Python package. This is a low-risk pattern; installation is manual and no arbitrary remote archive downloads or custom installers are present.
- Credentials
- okOnly MINIFLUX_URL and MINIFLUX_TOKEN are required, and the primary credential is MINIFLUX_TOKEN — these are exactly what a Miniflux client needs. No unrelated secrets or broad environment access are requested.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or system-wide configs. It runs as a typical user-invoked/autonomously-invokable skill with no additional persistence.