Back to skill
Skillv1.0.1
ClawScan security
Hacker news on topic AI and agent only · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 12:27 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (fetching Hacker News stories about AI via the Algolia HN API); it does not request credentials or access unrelated resources.
- Guidance
- This skill is coherent with its description: it fetches HN stories via the Algolia API and reformats them. Before installing, note two practical points: (1) the script requires Python and the 'requests' package — the skill provides no install steps, so ensure your environment has that dependency; (2) the skill will make outbound network requests to https://hn.algolia.com — if you have network restrictions or logging requirements, confirm this is acceptable. As with any third-party code, only install if you trust the source; the included script is short and readable, but running code from unknown publishers always carries operational risk.
Review Dimensions
- Purpose & Capability
- okName/description promise (HN stories about AI/agents/Claude) matches the implementation: a Python script that queries the HN Algolia search API for stories containing the specified keywords.
- Instruction Scope
- okSKILL.md instructs running the included script and reformatting output. The script only performs an HTTPS GET to hn.algolia.com and prints results; it does not read local files, environment variables, or send data to other endpoints.
- Install Mechanism
- noteThere is no install spec (lowest risk). However, the included Python script depends on the third-party 'requests' library but the skill does not declare or install that dependency — operational mismatch (not a security red flag but a runtime/packaging issue).
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. Nothing requested appears disproportionate to fetching HN stories.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent privileges or modify other skills/config; autonomous invocation is allowed but is the platform default and not combined with other red flags.