Back to skill
Skillv1.0.0
ClawScan security
Diffbot Fetch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 31, 2026, 11:54 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and SKILL.md expect a DIFFBOT_API_KEY, but the registry metadata does not declare any required credentials — this mismatch is incoherent and should be clarified before use.
- Guidance
- This skill appears to be a simple Diffbot API wrapper (fetch.py) that needs DIFFBOT_API_KEY, but the registry metadata incorrectly lists no required credentials. Before installing: - Confirm the registry/package owner and provenance (no homepage or known owner provided). Treat as unverified. - Expect to supply DIFFBOT_API_KEY; do not paste your secret into public places. Prefer a limited-scope or ephemeral Diffbot token if available. - Review fetch.py (included) yourself — it only contacts api.diffbot.com and prints article text, so it doesn't exfiltrate other data, but running code from unknown sources always has risk. - Ask the publisher to fix metadata to declare DIFFBOT_API_KEY explicitly (or remove the requirement if incorrect). If you will run this inside an automated agent that passes credentials, ensure policies/ACLs limit which skills receive the token.
Review Dimensions
- Purpose & Capability
- noteThe name/description, SKILL.md, README, and fetch.py all consistently describe fetching article content via the Diffbot Article API — that purpose is coherent with the included code. However, the registry metadata claims no required environment variables or primary credential, which contradicts the code and SKILL.md that require DIFFBOT_API_KEY.
- Instruction Scope
- okThe runtime instructions only call the Diffbot Article API and format output as Markdown. The SKILL.md and fetch.py do not instruct reading unrelated files or other environment variables, nor do they contact endpoints other than api.diffbot.com. Usage examples are limited to invoking the included script.
- Install Mechanism
- okThis is an instruction-only skill (no installer) with a single included Python script. There are no download URLs or extract/install steps: low installation risk. The presence of a code file without an install spec is consistent with an instruction-only package.
- Credentials
- concernThe code and SKILL.md require a DIFFBOT_API_KEY environment variable. The registry metadata, however, lists no required env vars or primary credential. That mismatch is disproportionate and could mislead users or automated policy checks. Aside from the Diffbot key, the script does not request other secrets.
- Persistence & Privilege
- okThe skill does not request persistent/always-on presence and does not modify other skills or system settings. It runs as a simple script and prints to stdout, so there are no elevated persistence privileges.