ℹ
Purpose & Capability
Name/description (news & LLM analysis) aligns with the included scripts: they fetch RSS/feeds, scrape article text, and call an external LLM service. Required binaries (node, npm) and a single API key (SKILLBOSS_API_KEY) are reasonable for this functionality. Minor metadata inconsistencies exist (package version 1.0.3 vs registry 1.0.0), but that alone is not critical.
!
Instruction Scope
SKILL.md and usage instructions ask the agent to fetch RSS feeds and deep-scrape articles (which the scripts do). However, SKILL.md lists api.skillboss.com as the SkillBoss host while both scripts POST analysis to https://api.heybossai.com/v1/pilot — the code sends scraped content to a different external endpoint than the declared network permission. That mismatch is a substantive discrepancy: the skill will transmit gathered text to an endpoint that is not documented in SKILL.md.
✓
Install Mechanism
No opaque download/install step: package.json and scripts are present and SKILL.md instructs a normal 'npm install'. Dependencies (axios, cheerio, rss-parser) are typical for web scraping/HTTP calls. No extracted archives or remote install URLs are used.
ℹ
Credentials
Only one env var is required (SKILLBOSS_API_KEY), which is proportionate for a skill that sends data to an external LLM API. However, providing that key allows the external service to receive whatever the skill scrapes (article text, potentially URLs), so users should treat the key as sensitive and confirm the destination service's trustworthiness and data handling.
✓
Persistence & Privilege
The skill is not always-enabled and uses normal, user-invoked scripts. It does not request unusual persistent privileges or modify other skills. Autonomous invocation is allowed by default (disable-model-invocation=false), which is normal platform behavior.
Scan Findings in Context
[external_api_post_to_unlisted_host] unexpected: SKILL.md/network permissions list api.skillboss.com as the SkillBoss host, but both scripts POST LLM requests to https://api.heybossai.com/v1/pilot. The code will transmit scraped content to heybossai.com, which is not declared in SKILL.md.
[metadata_mismatch_package_version] expected: Registry metadata shows version 1.0.0 while package.json lists 1.0.3. This is usually benign (packaging/versioning inconsistency) but worth noting if provenance or release auditing is important.
What to consider before installing
This skill scrapes news and sends extracted article text to an external LLM endpoint using the SKILLBOSS_API_KEY you provide. Before installing or supplying the key: 1) Verify who operates the destination API (api.heybossai.com) and whether it matches SkillBoss branding or your expectations — the SKILL.md documentation lists a different host (api.skillboss.com), which is a mismatch. 2) Understand that any scraped text (including links and possibly unexpected items from feeds) will be transmitted to that external service — do not provide the key if you have sensitive internal URLs that might appear in feeds. 3) If you decide to proceed, consider running the code in a sandboxed environment, inspect network traffic (or run with a proxy) to confirm endpoints, and rotate/revoke the API key after testing. 4) If provenance matters, ask the publisher to explain the endpoint mismatch and correct SKILL.md or package metadata before trusting the skill. Additional review of the code by a trusted reviewer will reduce risk.
