Non-Annoying News
PassAudited by ClawScan on May 12, 2026.
Overview
This looks like a benign personal-newsletter skill, but users should consciously approve any private-source adapters, package installs, scheduled runs, or external delivery.
Before installing, decide which sources you actually want to use. Start with pasted URLs or exports if you are cautious. Do not paste secrets into chat, review any local config before saving it, approve Playwright/Chromium installation only if you need PDF rendering, and create a cron or external delivery workflow only after confirming the schedule, sources, and destination.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Enabling these adapters could let the agent read private saved items, bookmarks, newsletter content, or app data to build the digest.
The skill may use existing account, browser, read-later, or mailbox integrations. This is purpose-aligned for a personal digest and is constrained to already configured local tools, but it still touches private account-adjacent data.
Use only when already configured locally: X/Twitter bookmarks via local CLI/API/MCP/export; Browser reading list or browser bookmarks via local browser profile/export; Read-later apps via configured CLI/MCP/API; Newsletter/mailbox search via configured mail tools.
Enable only the specific adapters you want, prefer exports or pasted URLs when possible, and do not paste tokens, cookies, or secrets into chat.
If you approve a cron or scheduled job, the digest workflow may continue running in the future using the configured sources and delivery target.
The skill supports recurring scheduled operation, which is persistent future behavior, but the instructions explicitly require user confirmation before scheduling.
A cron or scheduled job changes future behavior. Ask explicitly before creating one.
Approve scheduling only after reviewing the cadence, source set, delivery target, and whether external sending is allowed without per-issue approval.
A renderer install could add local dependencies and browser binaries to the environment.
Rendering PDFs may require installing or using an external browser-rendering dependency. This is central to the skill's PDF output purpose, but users should be aware before allowing package installation.
If the browser renderer is missing, use Playwright/Chromium if installable.
Use an existing trusted renderer when available, and approve any Playwright/Chromium installation explicitly.
Local config or source manifests may reveal your interests, preferred sources, delivery channels, and recurring reading habits.
The skill relies on persistent local configuration and source context for personalization and recurring runs. The artifacts include good privacy guidance, but the stored preferences and source lists are still sensitive.
Keep user-specific configuration outside the public skill directory... Never store tokens, cookies, private handles, channel IDs, or personal preferences inside the reusable public skill.
Keep configs and generated manifests in a private workspace, review them before recurring use, and avoid storing secrets or unnecessary personal identifiers.