Skillv1.0.0

ClawScan security

AI DeepNews · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 7:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (fetching RSS feeds, deduplicating, filtering, and translating into a Markdown digest); it requires only standard PyPI packages and writes local cache/output files — no credentials or surprising system access are requested.
Guidance: This skill appears coherent and implements what it claims: it fetches public RSS feeds, deduplicates and filters by date, translates content to Chinese, and writes a local markdown digest and a JSON cache. Before installing: (1) be aware it performs network requests to many public sites and to the googletrans-based translator (unofficial web-based translator) — no API keys are required but the translator may be rate-limited or break if Google blocks scraping; (2) the SKILL.md mentions pushing to Telegram/WhatsApp/Slack but the code does not implement those integrations — you'll need to add that yourself if desired; (3) it writes seen_articles.json and latest_digest.md into the skill folder — review these files as needed and run inside a contained environment (virtualenv or sandbox) if you want isolation; (4) installing uses PyPI packages (feedparser, googletrans), so verify and pin versions as you prefer. Overall the skill is internally consistent and does not request unexplained credentials or system access.

Review Dimensions

Purpose & Capability: okName/description match the included Python script and SKILL.md. The script fetches the listed RSS feeds, applies date filtering and deduplication, translates titles/summaries, and writes a markdown digest and a local JSON cache — all consistent with a news-digest tool.
Instruction Scope: noteRuntime instructions are narrowly scoped to installing feedparser and googletrans and running the script. The SKILL.md claims 'Google Translate API' and 'automatic push to Telegram/WhatsApp/Slack' as usage scenarios, but the shipped code uses the unofficial googletrans library (no official Google Cloud API usage) and does not implement any push integrations — this is a minor mismatch (documentation vs implementation), not exfiltration.
Install Mechanism: okNo automated install spec; SKILL.md instructs creating a venv and pip-installing feedparser and googletrans==4.0.0-rc1 from PyPI. This is a standard, low-risk install path (no arbitrary downloads or archives).
Credentials: okThe skill declares no required environment variables or credentials and the code does not read secrets or external config. Translation is performed via the googletrans package which requires network access but no API keys; this is proportionate to the described functionality.
Persistence & Privilege: okalways:false and the script only writes files in its own directory (seen_articles.json, latest_digest.md). It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default but not excessive here.