RSSaurus - Agent-Friendly RSS Feed Reader
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An overly broad command could mark many RSS items as read or change saved/read state in the user's account.
The skill documents account-state-changing CLI actions, including a bulk operation; this is disclosed and aligned with RSS triage, but broad writes should be intentional.
Bulk mark read: rssaurus mark-read --all # or rssaurus mark-read --ids 1,2,3
Use item IDs or feed filters for write actions where possible, and require explicit user confirmation before using `--all`.
Commands will act as the logged-in RSSaurus account, and exposing the config file could leak API tokens.
The skill relies on RSSaurus authentication and acknowledges token-bearing local config; this is expected for the integration and the artifact includes appropriate privacy guidance.
Do **not** print (e.g. `cat`) the RSSaurus CLI config file contents; it can contain API tokens.
Verify the intended account with `rssaurus auth whoami`, do not display token files, and revoke/recreate tokens if they are exposed.
If the local `rssaurus` binary is not the expected one, RSSaurus account actions and authentication handling depend on that external executable.
The runtime instructions depend on a local `rssaurus` binary, but the supplied package does not install or pin that executable, so executable provenance is outside the skill artifact.
No install spec — this is an instruction-only skill.
Install or update `rssaurus` from a trusted RSSaurus source and check `rssaurus --version` before using the skill for account actions.