ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hacker News

v1.0.0

Search and browse Hacker News with API access to stories, comments, users, and hiring threads.

0· 1.7k·13 current·14 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the instructions: SKILL.md, api.md, and search.md all only describe using the official Firebase HN API and the Algolia HN search API. No unrelated binaries, env vars, or services are requested.
Instruction Scope
Runtime instructions are constrained to making HTTP requests to public HN endpoints and building queries. The docs suggest curl and shell date usage for timestamps, and recommend batching/pagination — all within the expected scope. There are no instructions to read local files, access secrets, or POST data to unexpected endpoints.
Install Mechanism
No install spec and no code files — instruction-only skill. Nothing is written to disk or fetched during install, minimizing install-time risk.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportional for a read-only public-API browsing tool.
Persistence & Privilege
always is false and the skill does not request persistent system-level changes or modifications to other skills. It can be invoked by the agent, which is normal for skills of this type.
Assessment
This skill looks safe and coherent: it only documents calling public Hacker News endpoints and needs no secrets or installs. Before installing: 1) note the registry/owner and lack of a homepage — the skill is instruction-only, so risk is low but verify you trust the publisher. 2) Be aware that its examples use shell date substitutions and curl; on some systems (macOS/BSD) the date flags differ, so the agent might fail or behave differently. 3) The agent will make network requests to public APIs (and could fetch URLs returned in stories if asked) — if you do not want outbound network access, do not enable the skill. 4) Expect standard rate limits from Algolia/HN; no credentials are required.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a01rg86knys747e5rks27y1817ytv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟠 Clawdis
OSLinux · macOS · Windows

Comments