Skillv1.0.3

ClawScan security

daily-news-caster · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 12:59 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (fetch news, format a two-host podcast script, and call a local TTS skill to make audio) matches its instructions and requirements, but you should review the dependent skills it runs and any optional API keys they may use before running it.
Guidance: This skill is internally consistent for generating a news podcast, but it orchestrates and executes scripts from two other skills you must trust. Before installing or running: (1) Inspect the code and SKILL.md of news-aggregator-skill and tts to confirm what network calls and environment variables they use; (2) only provide NOIZ_API_KEY (or other keys) if you trust the tts backend and understand the privacy implications; (3) be aware the skill will write audio and markdown files to the workspace and will execute python3/ffmpeg commands—run in a sandbox if you are unsure; (4) if you cannot review the dependency code, do not grant secrets and consider using guest-mode voices instead.

Review Dimensions

Purpose & Capability: okThe name and description match the runtime instructions: it requires the news-aggregator and tts skills, plus python3 and ffmpeg to run scripts and merge audio. Those dependencies are appropriate for fetching news, generating TTS, and concatenating audio.
Instruction Scope: noteThe SKILL.md explicitly instructs the agent to locate and execute scripts from other skills (e.g., skills/news-aggregator-skill/scripts/fetch_news.py and skills/tts/scripts/tts.py) and to read those skills' SKILL.md files. That is coherent, but it means the security surface extends to whatever those dependency scripts do (network calls, env var access, external APIs). The skill also writes files to disk (podcast_script.md, line_*.wav, podcast_output.wav) which is expected for this task.
Install Mechanism: okInstruction-only skill with no install spec; nothing will be downloaded or written by this skill itself. Low install risk. It relies on existing local skills and standard binaries (python3, ffmpeg).
Credentials: noteThe skill itself requests no environment variables, which aligns with its stated scope. However the SKILL.md mentions the tts backend can use NOIZ_API_KEY for voice-cloning features (optional), and dependency scripts may require other keys or tokens. These credential requirements belong to the dependency skills, so you should review those skills before providing secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent/privileged installation. It writes local output files as part of normal operation and does not modify other skills or system-wide configs.