ClawHub
Back to skill
v2.0.2

News Fetcher (by luogao)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:29 AM.

Analysis

This skill appears purpose-aligned for fetching public news and archives, with documented external service use and a small local preference file.

GuidanceThis looks safe for its intended use: fetching and summarizing public news. Before installing, be aware that optional Tavily searches use your Tavily API key, external archive/search services may receive the URLs or search terms you request, and news preferences are saved in CONFIG/news-preferences.md.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/fetch_news.mjs
const TAVILY_API_KEY = process.env.TAVILY_API_KEY; ... 'Authorization': `Bearer ${TAVILY_API_KEY}`

The script uses an optional Tavily credential to authenticate to Tavily's search API, which is expected for the advertised alternative-source search feature.

User impactIf configured, the Tavily API key will be used for news searches and sent to Tavily as an authorization token.
RecommendationSet TAVILY_API_KEY only if you want Tavily search enabled, and use a key with normal service-level limits rather than a broadly privileged credential.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
archive.today / Wayback Machine ... 使用 Tavily API 搜索同一事件的免费报道

The skill intentionally sends article URLs or search queries to third-party archive/search services as part of its core workflow.

User impactNews URLs and search terms may be visible to external services such as Tavily, archive.today, Wayback Machine, or r.jina.ai.
RecommendationUse the skill for public news links and avoid giving it private, intranet, or sensitive URLs unless you are comfortable sharing them with those services.
Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
SKILL.md
检查配置文件 `CONFIG/news-preferences.md` ... 保存偏好 → 写入 `CONFIG/news-preferences.md`

The skill persists user news preferences in a workspace file and reads them later to guide news selection.

User impactStored preferences can influence future news results, and anyone who can modify that workspace file could steer what sources or categories are used.
RecommendationReview or edit CONFIG/news-preferences.md if results seem unexpected, and avoid storing sensitive personal details in the preference file.