Skillv2.4.0

ClawScan security

Polaris · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 24, 2026, 9:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are consistent with its stated purpose (a read-only news/intelligence and market-data agent) and do not request unrelated credentials or privileged system access.
Guidance: This skill appears coherent with its stated purpose, but review these practical considerations before installing: - Privacy of submitted content: /crawl will send any user-provided URL (and likely its content) to api.thepolarisreport.com for extraction; avoid submitting sensitive internal URLs or private documents. - Webhook alerts: /alerts can deliver to user-specified webhook endpoints. Only configure webhooks you control and trust; do not point alerts at unknown third-party endpoints. - Vendor trust: the skill asserts 'no user data stored' — that is a vendor policy, not enforced by the skill itself. If you need guarantees, read the Polaris privacy policy and confirm retention/usage terms. - Testing: start by running non-sensitive queries to confirm behavior and rate limits (free tier noted). If you have compliance constraints, consider reviewing network logs or running the skill in a restricted environment first. - Verification: the registry shows a homepage URL in skill.json — validate that https://thepolarisreport.com and the API endpoints are legitimate and match your expectations before granting broad use. If any of these points are unacceptable (e.g., you cannot allow transmission of internal URLs), do not install or restrict usage to safe test queries only.

Review Dimensions

Purpose & Capability: okThe name, README, SKILL.md, skill.json, and index.js all describe the same set of commands (news, brief, price, crawl, alerts, etc.) and the implementation calls only one API domain (api.thepolarisreport.com). There are no requested environment variables, binaries, or install steps that are unrelated to serving news/market intelligence.
Instruction Scope: noteRuntime instructions and the code stick to making requests to the Polaris API for the declared features. Two features deserve user attention: /crawl (which submits a user-provided URL to the service for extraction) and /alerts (which supports webhook delivery). Both behave consistently with an intelligence API but they will send user-supplied content or webhook destinations to the remote API — that is expected for the features but has privacy implications. The SKILL.md claims 'No user data: Queries are not stored or shared' — that is a claim by the vendor; the skill itself transmits query text and user-provided URLs to api.thepolarisreport.com, so you must trust the remote service's privacy policy.
Install Mechanism: okNo install spec or third-party downloads are included; this is instruction-only plus a single JS file (index.js) that uses fetch. No archives, external installers, or unusual paths are used.
Credentials: okThe skill declares no required environment variables or credentials and the code does not access process environment variables. There is no request for unrelated cloud keys or secrets.
Persistence & Privilege: okThe skill is not set to always:true and does not request elevated platform privileges. It will run when invoked (and can be invoked autonomously per platform defaults), which is normal for skills of this type. It does not modify other skills or global agent configuration.