Back to skill
Skillv1.0.0
ClawScan security
mar-daily-news · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 5:45 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required environment variables are consistent with its stated purpose (fetching news via the SkillBoss API); it mainly requires a SkillBoss API key and will call that remote API to collect and summarize news.
- Guidance
- This skill sends scraped page content and search queries to a third-party API at api.heybossai.com using the SKILLBOSS_API_KEY you provide. Only install if you trust that provider and the API key's permissions. Do not supply other sensitive credentials to this skill. Run pip installs in a controlled environment (virtualenv/container) if you are cautious. If you want tighter control, review or sandbox the execution of daily_news.py before allowing the agent to run it autonomously.
Review Dimensions
- Purpose & Capability
- okName/description (daily top news from Baidu/Google via SkillBoss API Hub) match what the code and SKILL.md do: the Python script uses a single external API (api.heybossai.com) to scrape and search for trending items and composes a top-10 list. Required binaries (python) and the SKILLBOSS_API_KEY env var are proportional to this goal.
- Instruction Scope
- okSKILL.md instructs only to install the requests dependency and run the included Python script, then return its output. The script does not read local user files or other environment variables beyond SKILLBOSS_API_KEY and does not attempt to modify system configuration. It performs network calls to the declared API host to retrieve content, which is expected for this purpose.
- Install Mechanism
- okNo install spec; the only dependency is requests (requirements.txt). Installation is limited to 'pip install -r requirements.txt', which is standard and proportional. No downloads from arbitrary URLs or archive extraction are present.
- Credentials
- okOnly SKILLBOSS_API_KEY (and a non-sensitive PYTHONIOENCODING setting) are required. The secret is consistent with needing an API key for the external SkillBoss service; no unrelated credentials or extra access are requested.
- Persistence & Privilege
- okSkill is not force-included (always:false) and does not attempt to persist configuration, modify other skills, or change system-wide settings. Agent autonomous invocation is allowed (default) but is not a special privilege added by this skill.