Miniflux News
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the token could access the user's Miniflux data, and the same configured token may also authorize mark-read operations.
The skill uses a Miniflux API token to access the user's account. That is expected for the stated integration, but API tokens are sensitive and should be scoped and stored carefully.
This skill reads Miniflux credentials from a local config file by default... `~/.config/clawdbot/miniflux-news.json` ... "token": "<api-token>" ... `MINIFLUX_TOKEN`
Use a least-privilege token if Miniflux supports it, prefer HTTPS URLs, keep the config file private, and avoid exposing the token in shell history or shared logs.
If explicitly invoked, the skill can mark selected or category-wide unread items as read, which may hide them from the unread queue.
The bundled script can mutate Miniflux entry status, including bulk category mark-read behavior, but the code enforces a confirmation flag before doing so.
payload = {"entry_ids": ids, "status": "read"}
_request("/v1/entries", method="PUT", body=payload)
...
if not args.confirm:
raise SystemExit("Refusing to mark entries as read without --confirm.")Only ask it to mark items read after reviewing the target IDs or category, and keep using the `--confirm` requirement for any state-changing action.
Users have less external provenance information for deciding whether to trust the bundled helper script that handles their API token.
The skill includes a bundled script but does not provide an upstream source or homepage for provenance. The provided script is readable and static scan signals are clean, so this is a provenance note rather than a concern.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Review the bundled script before first use and prefer installing from a known publisher or repository when available.