Hacker News
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent read-only Hacker News browsing/search tool with no credential use, persistence, or destructive behavior evidenced.
This looks reasonable for read-only Hacker News browsing and search. Before installing, be aware it runs an included Bash helper, sends HN queries/lookups to public HN/Algolia APIs, and may display untrusted public comments or profile text.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your HN search terms, story IDs, and profile lookups may be visible to the public APIs the tool queries.
The helper makes outbound API requests. This is purpose-aligned and read-only, but it means user-driven HN searches and lookups are sent to external public services.
HN_API="https://hacker-news.firebaseio.com/v0"
ALGOLIA_API="https://hn.algolia.com/api/v1"
...
curl -sf "${HN_API}/${endpoint}.json"Use it for normal HN browsing/searching, and avoid entering private or sensitive search terms if you do not want them sent to HN/Algolia.
You may need local dependencies such as bash, curl, jq, and python3 even though they are not declared in the registry metadata.
The package includes and documents running an executable script, while provenance and required local tools are sparsely declared. The visible behavior remains purpose-aligned, so this is a transparency/setup note rather than a concern.
Source: unknown; Homepage: none; Required binaries (all must exist): none; No install spec — this is an instruction-only skill.
Review the included script before use and ensure required local tools are available; the publisher should declare runtime dependencies and source provenance.
HN comments or profiles could contain misleading instructions or claims, even though the skill itself does not tell the agent to obey them.
The skill intentionally brings public HN posts, comments, and profile text into the agent context. That content is untrusted public text and should be treated as data, not instructions.
View item details, comments, and user profiles. Search stories and comments via Algolia.
Treat fetched HN content as untrusted public information and do not let it override your original request or safety expectations.