Skillv1.0.0

ClawScan security

Today News Task · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 1:23 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with its stated purpose (fetch portal pages and summarize headlines); it requests no credentials and has no install steps.
Guidance: This skill is internally consistent and lightweight: it uses a small Python script to fetch HTML and leaves parsing/summarization to the agent. Before installing or running it, consider: 1) network policy — the skill will make outbound HTTP requests to arbitrary URLs you instruct it to fetch; run it in an environment where that is acceptable; 2) parsing scope — the script prints raw HTML, so ensure the agent's parsing step does not read unrelated local files or secrets; 3) optional push step — if you choose to push results to the referenced 'today-task' skill, review that other skill (and any site you may be asked to visit to install it) before granting access. If you want stricter safety, run fetches in a sandboxed environment and audit any downstream skill ('today-task') before enabling cross-skill pushes.

Purpose & Capability: okName/description (gather Chinese portal headlines and optionally push results to a separate 'today-task' skill) match what is present: a small Python fetcher and runtime instructions. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope: noteSKILL.md instructs the agent to run the included fetch_url.py to download HTML from news portals and then extract titles/links. The Python script only performs an HTTP GET and prints raw HTML; parsing and summarization are left to the agent. This is coherent but gives the agent broad discretion to parse many pages — verify that parsing logic will not access unrelated local files or secrets.
Install Mechanism: okNo install spec is provided (instruction-only plus a small local script). Nothing is downloaded from external URLs during install and fetch_url.py uses only the Python standard library.
Credentials: okThe skill requests no environment variables or credentials. The optional push-to-‘today-task’ flow references installing a separate skill from an external site but does not ask for secrets. No disproportionate credential access is requested.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated privileges or modify other skills. Autonomous invocation remains enabled (platform default) but does not combine here with excessive access.