Cctv News Fetcher Conflict
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the agent may contact CCTV pages and links discovered on those pages to collect article text.
The crawler follows links taken from the remote news page, so invocation can make additional outbound requests beyond the first CCTV URL. This is purpose-aligned for a news scraper and does not show local data being sent.
const pageUrls = soup.querySelectorAll('li a').slice(1).map(a => a.getAttribute('href') || ''); ... const pageResponse = await fetch(pageUrl, { headers });Use it for its intended news-fetching purpose; maintainers could add a CCTV/CNTV domain allowlist for followed links.
CCTV may receive a static cookie value with requests made by the scraper; there is no artifact evidence that your own account cookies are accessed.
The script sends a fixed cookie value with page requests. It is not reading the user's local cookies or credentials, but the opaque header is not disclosed in the skill instructions.
'Cookie': 'cna=DLYSGBDthG4CAbRVCNxSxGT6'
Document why the cookie is needed or remove it if public pages work without it; never replace it with a user's personal session cookie unless clearly required and scoped.
The skill may not run until Node/Bun and the npm dependency are available, and users must rely on the included package files for setup.
The runtime/dependency requirement is disclosed in the skill text, but the supplied install/requirements metadata lists no required binaries or install spec. This is a setup metadata gap, not hidden behavior.
The skill depends on `node-html-parser`. Ensure `bun` is installed in the environment.
Declare Node or Bun and the dependency installation path in metadata/install instructions; install dependencies from the included lockfile.
Users may have less certainty that the registry entry and bundled package metadata refer to the same intended skill.
The bundled metadata identifies a different owner/slug than the supplied registry metadata for cctv-news-fetcher-conflict. The code still matches the stated purpose, but the package identity is inconsistent.
"ownerId": "kn7e8pavq30z0e9ys21svajh6580dk8q", "slug": "cctv-news-fetcher"
Verify the publisher/package identity before installing and update bundled metadata to match the registry entry.