Skillv1.0.2

ClawScan security

news-content · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 17, 2026, 7:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and requirements mostly match a remote-news-extraction purpose, but use of an untrusted default backend (easyalpha.duckdns.org) and an explicit TLS verification bypass are concerning and could expose your API key or fetched content.
Guidance: This skill forwards the page URL and your EASYALPHA_API_KEY to a remote backend (default: easyalpha.duckdns.org). That default host is a personal/dynamic-domain (duckdns) and the client disables TLS certificate validation (rejectUnauthorized: false), which increases the chance your key or content could be intercepted or misused. Before installing: (1) only set EASYALPHA_API_KEY if you trust the backend operator; (2) prefer pointing NEWS_EXTRACTOR_SERVER_URL to a trusted/organizational server or run the extractor backend yourself; (3) remove or fix the rejectUnauthorized:false setting so TLS is properly validated; (4) review the backend's privacy policy or run local parsing if you cannot trust remote handling of page content or credentials.

Purpose & Capability: okName/description, required binary (node), and required env vars (EASYALPHA_API_KEY, NEWS_EXTRACTOR_SERVER_URL) align with a client that forwards a URL to a remote extractor and returns parsed content.
Instruction Scope: noteSKILL.md instructs the agent to run the included Node script which sends the target URL and API key to a remote server and prints the server response. The instructions do not attempt to read unrelated files or other credentials, but they do direct potentially sensitive data (the URL and API key) to a remote endpoint.
Install Mechanism: okNo install spec (instruction-only skill) and the only runtime requirement is node. The repository includes a small client script; nothing is downloaded from arbitrary URLs at install time.
Credentials: concernThe skill requires only the API key and server URL, which is proportionate, but the default server is on a duckdns personal domain (easyalpha.duckdns.org) and the client will send the API key to that host. This combination increases risk if the backend is untrusted or compromised.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skill or system configs, and has no persistent installation actions described.