HackerNews Extract
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: hn-extract Version: 0.1.5 The skill bundle is benign. The `SKILL.md` provides clear instructions for the AI agent to run the Python script, save output to `/tmp`, and then upload the file with a follow-up question, all aligned with the stated purpose and lacking any prompt injection attempts for malicious actions. The `hn-extract.py` script uses standard Python libraries (`requests`, `trafilatura`) to fetch data from the HackerNews API and linked articles, clean HTML, and format it into Markdown. It performs network requests and file system writes (to the specified output path or `/tmp`), which are necessary for its functionality, without any evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On first run, the environment may download Python packages needed for article extraction.
The skill discloses that running it may trigger dependency installation through uv, which is purpose-aligned but depends on package provenance and availability.
Dependencies will be installed automatically by `uv` into to a dedicated venv when run this script.
Install only in an environment where uv package downloads are allowed, and use pinned or internally mirrored dependencies if your organization requires strict supply-chain controls.
When used, the agent may create a temporary Markdown file and send it as an attachment rather than only replying inline.
The skill explicitly directs the agent to execute the extraction script, create a Markdown file, and attach that generated file in a message. This is aligned with the advertised workflow but is still a concrete tool/file action.
Run the script with an output path: `uv run --script ${baseDir}/hn-extract.py <input> -o /tmp/hn-<id>.md`... Upload the fileUse it for Hacker News posts you actually want extracted, and review the generated file if the linked article or comments may contain sensitive or unwanted content.
Using the skill will contact Hacker News/Algolia and the external website linked by the HN post.
The implementation fetches HN item metadata and then fetches the linked article URL from that metadata. This network access is expected for an HN/article extraction tool.
url = f"https://hn.algolia.com/api/v1/items/{id}" ... self.article_html = self.get_html_form_url(article_url)Avoid running it on posts whose linked sites you do not want your environment to contact.