Skillv1.0.0

ClawScan security

Latte News Fetcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 12:26 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, install steps, and runtime instructions match its stated purpose (fetching news, RSS, and optionally using Tavily search); it requests no unrelated credentials and only optionally uses a Tavily API key for search.
Guidance: What to know before installing: - This skill requires node and will install node-fetch (standard npm package). - It will read and write a workspace file CONFIG/news-preferences.md to save user preferences — expect this side-effect in your agent workspace. - Tavily integration is optional; provide TAVILY_API_KEY only if you want the built-in search fallback. The key is used only to call https://api.tavily.com/search as shown in the script. - The skill fetches arbitrary news pages and external APIs over the network; it will retrieve and output page contents (respect copyright and paywall rules). - There are no requests for unrelated credentials or system secrets. If you want extra assurance, review scripts/fetch_news.mjs and references/free-sources.md yourself before enabling the skill.

Review Dimensions

Purpose & Capability: okName/description (news + RSS + Tavily search) align with the files, SKILL.md, and the single script. The declared binary (node) and the npm dependency (node-fetch) are appropriate for the provided Node script. No unrelated services or credentials are required.
Instruction Scope: noteRuntime instructions reference reading/writing a workspace file CONFIG/news-preferences.md (used to store user preferences) and using agent tools browser/web_fetch and Tavily search. Writing a preferences file in the workspace is consistent with the described behavior but is a side-effect users should be aware of. The instructions do not attempt to read system-level secrets or unrelated config paths.
Install Mechanism: okInstall uses a single npm package (node-fetch) declared in package.json and in SKILL.md. This is proportionate to the Node script's network fetch behavior and is a low-to-moderate risk installation mechanism (standard public npm dependency).
Credentials: okNo required environment variables; one optional env var TAVILY_API_KEY is declared and used only to authenticate calls to api.tavily.com for search fallback. The use of this key is justified by the Tavily-search feature; no unrelated credentials are requested.
Persistence & Privilege: okSkill is not always-enabled and uses normal autonomous invocation defaults. It writes a workspace-level config file for user preferences (CONFIG/news-preferences.md), which is within its stated scope. It does not request persistent elevated privileges or modify other skills.