ClawHub

RSSaurus - Agent-Friendly RSS Feed Reader

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent instruction-only guide for using an existing RSSaurus CLI, with expected account login and feed-state changes that users should run intentionally.

Before installing or using this skill, make sure the `rssaurus` binary is from a trusted source, verify the logged-in RSSaurus account, do not print CLI config files, and only allow bulk actions like `mark-read --all` when you explicitly want that account-wide change.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

An overly broad command could mark many RSS items as read or change saved/read state in the user's account.

Why it was flagged

The skill documents account-state-changing CLI actions, including a bulk operation; this is disclosed and aligned with RSS triage, but broad writes should be intentional.

Skill content
Bulk mark read:

rssaurus mark-read --all
# or
rssaurus mark-read --ids 1,2,3
Recommendation

Use item IDs or feed filters for write actions where possible, and require explicit user confirmation before using `--all`.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Commands will act as the logged-in RSSaurus account, and exposing the config file could leak API tokens.

Why it was flagged

The skill relies on RSSaurus authentication and acknowledges token-bearing local config; this is expected for the integration and the artifact includes appropriate privacy guidance.

Skill content
Do **not** print (e.g. `cat`) the RSSaurus CLI config file contents; it can contain API tokens.
Recommendation

Verify the intended account with `rssaurus auth whoami`, do not display token files, and revoke/recreate tokens if they are exposed.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

If the local `rssaurus` binary is not the expected one, RSSaurus account actions and authentication handling depend on that external executable.

Why it was flagged

The runtime instructions depend on a local `rssaurus` binary, but the supplied package does not install or pin that executable, so executable provenance is outside the skill artifact.

Skill content
No install spec — this is an instruction-only skill.
Recommendation

Install or update `rssaurus` from a trusted RSSaurus source and check `rssaurus --version` before using the skill for account actions.