Agent News Digest
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s news-search purpose is mostly coherent, but its runnable entrypoint starts a hard-coded test news job that can use API keys without an explicit user request.
Review the code before running it, especially src/index.ts. Remove or disable the automatic Bitcoin mock job, declare and scope any Tavily/Groq/Google/Anthropic API keys, and expect searched web content and topics to be sent to the selected external providers.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Starting the skill can send a Bitcoin query to Tavily and an LLM provider and may consume API quota even when the user did not submit that job.
The runnable entrypoint automatically creates and processes a hard-coded news job shortly after startup instead of only waiting for a user-provided ACP job.
setTimeout(async () => { const mockJob = { id: 'job-test-123', payload: { topic: 'Bitcoin', period: '1d', max_items: 3 } ... }; await callback(mockJob); }, 3000);Remove the mock auto-job from production code, wait for an explicit user request, and document any test mode separately.
Users may not realize they need provider API keys or that running the skill can spend Tavily/Groq/selected LLM quota.
The skill uses an environment-supplied Tavily API key for the stated search provider; similar LLM provider keys are read elsewhere, while registry metadata declares no required credentials.
'Authorization': `Bearer ${process.env.TAVILY_API_KEY}`Declare TAVILY_API_KEY and the supported LLM provider keys in metadata, document which provider is used by default, and use least-privilege/revocable keys.
A malicious or manipulated webpage could skew the news summary or importance scores, although the code does not show tool execution based on that output.
Remote news content is inserted into an LLM prompt for summarization, so adversarial article text could influence the generated summary.
내용: ${a.content.slice(0, 300)} ... const userMessage = `주제: ${topic}\n\n기사 목록:\n${articlesText}`;Treat web content as untrusted, delimit quoted article text clearly, validate LLM JSON output, and avoid letting summarized content drive sensitive actions.