Back to skill
Skillv1.0.0
ClawScan security
daily-trending · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 7:08 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its stated purpose (scraping tophub.today for trending lists); it is instruction-only, requests no secrets, and does not perform actions outside that scope.
- Guidance
- This skill is internally consistent: it simply scrapes specific tophub.today pages and returns the top 5 factual items. Before installing, consider: (1) the skill needs outbound web access to fetch tophub.today — ensure your environment permits that and it complies with your network/TOS policies; (2) the skill suppresses source attribution and extra diagnostic text, which improves brevity but reduces verifiability and may hide errors; (3) scraped content can be inaccurate or change format unexpectedly — monitor for breakage. If you need source links or error reporting, request the skill be modified to include them.
Review Dimensions
- Purpose & Capability
- okName/description say: fetch today's hot lists from tophub.today. The SKILL.md explicitly fetches several tophub.today pages (Weibo, Zhihu, Baidu, etc.). No unrelated credentials, binaries, or installs are requested — all required elements match the stated purpose.
- Instruction Scope
- noteInstructions are narrowly focused on web_fetch calls to specific tophub.today URLs and filtering criteria for news selection. They also enforce strict output formatting and omission of sources/error text. This is coherent for the task but is prescriptive (e.g., forbids extra diagnostic output), which could hide error messages or make debugging harder.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. Nothing is written to disk and no external packages are fetched. This is the lowest-risk install pattern for this purpose.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths and the runtime instructions do not reference any. That is proportionate for a public-web scraping/trending aggregator.
- Persistence & Privilege
- okalways is false and agent-autonomy defaults are unchanged. The skill does not request persistent presence or elevated privileges and does not attempt to modify other skills or system settings.