local hacker news index page, markdown news frontend
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the output path points to an important existing file, the skill can overwrite it.
The tool reads the selected input path and writes the selected output path. This is expected for a local converter, but the write mode will create or replace the target HTML file.
with open(args.input, 'r', encoding='utf-8') as f: ... with open(output_path, 'w', encoding='utf-8') as f:
Use an intentional input file and choose a safe output path; avoid pointing `-o` at important existing files.
Opening or sharing HTML generated from untrusted Markdown could expose viewers to misleading links or injected page content.
The script HTML-escapes titles, sources, and URLs, but it does not validate URL schemes and inserts the parsed author field into HTML without escaping. For trusted Hacker News-style snapshots this is likely limited, but crafted Markdown could produce unsafe links or injected HTML in the generated page.
url = e(item['url']) ... href="{url}" ... meta_parts.append(f'<span class="author">@{item["author"]}</span>')Use trusted Markdown snapshots, review generated pages before sharing, and consider escaping the author field and restricting links to safe schemes such as http/https.