Skillv1.1.1

ClawScan security

AI News Feed API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 9:41 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper for a RapidAPI-hosted news aggregator and its requirements and behavior are largely consistent with that purpose, but there is a small metadata/instruction mismatch to be aware of.
Guidance: This skill is an instruction-only interface for a third‑party RapidAPI service that aggregates AI-related tweets; it does not install code on your machine. Before using it: (1) verify the RapidAPI listing (twitter-ai-news-feed.p.rapidapi.com) to confirm the operator and pricing; (2) do not paste your long‑term secret keys into chat — store the RapidAPI key in your own environment if you trust the API; (3) note the small metadata inconsistency: the skill docs expect a RAPIDAPI_KEY even though the registry metadata lists none; expect the agent to ask you for that key or for permission to use it; (4) consider testing with a limited or disposable RapidAPI subscription if you want to evaluate the feed without exposing production credentials.

Purpose & Capability: okName and description describe a RapidAPI-hosted AI news feed; the SKILL.md only requires a RapidAPI key and provides endpoints and response schemas that match the stated purpose. No unrelated services, binaries, or credentials are requested.
Instruction Scope: noteRuntime instructions are focused on calling the documented API endpoints and formatting/display concerns (e.g., timezone conversion). They instruct obtaining and using a RapidAPI key and include example curl calls. The instructions do not ask the agent to read arbitrary files, harvest system data, or contact unexpected endpoints beyond the documented RapidAPI host.
Install Mechanism: okInstruction-only skill with no install spec or code files — nothing is written to disk or downloaded by the skill itself, which minimizes install-time risk.
Credentials: concernSKILL.md instructs users to obtain and store a RapidAPI key (suggested env var RAPIDAPI_KEY) even though the registry metadata lists 'Required env vars: none' and 'Primary credential: none'. This metadata/instruction mismatch is a minor inconsistency that could confuse users about what credentials are needed.
Persistence & Privilege: okThe skill is not always-on, is user-invocable, and does not request persistent or elevated platform privileges. It does not modify other skills or system settings.