HackerNews Extract
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On first run, the environment may download Python packages needed for article extraction.
The skill discloses that running it may trigger dependency installation through uv, which is purpose-aligned but depends on package provenance and availability.
Dependencies will be installed automatically by `uv` into to a dedicated venv when run this script.
Install only in an environment where uv package downloads are allowed, and use pinned or internally mirrored dependencies if your organization requires strict supply-chain controls.
When used, the agent may create a temporary Markdown file and send it as an attachment rather than only replying inline.
The skill explicitly directs the agent to execute the extraction script, create a Markdown file, and attach that generated file in a message. This is aligned with the advertised workflow but is still a concrete tool/file action.
Run the script with an output path: `uv run --script ${baseDir}/hn-extract.py <input> -o /tmp/hn-<id>.md`... Upload the fileUse it for Hacker News posts you actually want extracted, and review the generated file if the linked article or comments may contain sensitive or unwanted content.
Using the skill will contact Hacker News/Algolia and the external website linked by the HN post.
The implementation fetches HN item metadata and then fetches the linked article URL from that metadata. This network access is expected for an HN/article extraction tool.
url = f"https://hn.algolia.com/api/v1/items/{id}" ... self.article_html = self.get_html_form_url(article_url)Avoid running it on posts whose linked sites you do not want your environment to contact.