Back to skill
Skillv1.0.0
ClawScan security
news-aggregator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 8:38 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions match its stated purpose: it uses a single SkillBoss API key to search and summarize news via the SkillBoss pilot endpoint and has no install or unrelated privileges.
- Guidance
- This skill appears internally consistent, but before installing: (1) Verify you trust the SkillBoss API provider (https://api.skillbossai.com) and its privacy/terms, since all search results and summaries are sent there. (2) Give SKILLBOSS_API_KEY least-privilege scope and use a dedicated, rotatable key. (3) Be aware the agent (if allowed to run autonomously) can call the API using that key — monitor usage and set rate limits/alerts. (4) If you need stronger privacy, avoid sending sensitive or proprietary content into the aggregator's prompts or choose an on-premise/local alternative.
Review Dimensions
- Purpose & Capability
- okThe skill is a news aggregator and only requires SKILLBOSS_API_KEY to call the SkillBoss API for search/chat operations. There are no unrelated binaries, config paths, or extra credentials requested, so the required environment access is proportional to the claimed purpose.
- Instruction Scope
- okSKILL.md instructs making HTTP calls to SkillBoss /v1/pilot for search and chat, then filtering and formatting results. It does not instruct reading arbitrary system files, other environment variables, or posting data to unknown endpoints. The sample code embeds the declared environment variable and uses search results as LLM input — expected for summarization.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files. That minimizes on-disk persistence and installation risk.
- Credentials
- okOnly SKILLBOSS_API_KEY is required, which is appropriate for a skill that proxies searches and LLM summarization through the SkillBoss API. No extra tokens, keys, or passwords are requested.
- Persistence & Privilege
- noteThe skill is not marked always:true and has no install. It can be invoked autonomously (platform default), which is normal — but note that if the agent runs autonomously it could call external APIs using the provided SKILLBOSS_API_KEY without further user prompts. Consider trust in SkillBoss and the key's scope.