Back to skill
Skillv1.0.0
ClawScan security
Tech News · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 10:10 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with its stated purpose (fetching hot tech news from X-TechCon) and do not request unrelated credentials or persistent privileges.
- Guidance
- This skill appears to do exactly what it claims: issue an HTTPS GET to X-TechCon and format the returned news. Before installing, confirm you trust https://www.x-techcon.com (the skill will make outbound requests there), ensure python3 and the 'requests' package are installed, and be aware of a minor trigger-string mismatch between the SKILL.md examples and the code (spacing in the trigger may affect detection). No credentials or sensitive access are requested.
Review Dimensions
- Purpose & Capability
- okName/description state the skill fetches hot news from X-TechCon; the code and SKILL.md both call the same API URL and only require python3 + requests. There are no unrelated binaries or credentials requested.
- Instruction Scope
- noteInstructions and code only perform a single GET to https://www.x-techcon.com/api/hot_news, parse JSON, and format results. Minor mismatch: SKILL.md trigger variants include a spaced form ('X-TechCon 科技热点') while the Python TRIGGER_WORDS list contains 'X-TechCon科技热点' (no space), which could cause some intended triggers to miss; otherwise instructions do not access files, extra env vars, or external endpoints beyond the stated API.
- Install Mechanism
- okNo install spec in registry (instruction-only install). requirements.txt lists only 'requests' and SKILL.md instructs using pip install -r requirements.txt—this is proportionate for a simple HTTP client. No downloads from arbitrary URLs or archive extraction are present.
- Credentials
- okThe skill requests no environment variables or credentials. Its network access to a third-party site is appropriate for its purpose. There are no hidden secrets or unrelated env requirements.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and has no persistent installation steps beyond deploying its single Python file as described. Autonomous invocation defaults are normal.