Back to skill
Skillv1.0.0
ClawScan security
News Corbett Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 6:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent: it only fetches and formats the public Corbett Report RSS feed and does not request extra permissions or install code.
- Guidance
- This skill is low-risk and does exactly what it says: fetch a public RSS feed and format items. Before installing, consider: (1) it will perform outbound network fetches to corbettreport.com (no credentials required); (2) the feed content (titles, teasers, links) will be included verbatim in responses, so be cautious if you expect filtering of external links or tracking parameters; (3) the skill relies on the agent's fetch/curl behavior to faithfully parse XML—test it with a sample request to ensure the implementation follows the 'same <item>' rules; (4) if you need stricter controls, run it only when network access to that domain is permitted. Overall this skill appears coherent and proportionate to its stated purpose.
Review Dimensions
- Purpose & Capability
- okThe name/description match the runtime instructions: the skill's sole purpose is to fetch and format https://corbettreport.com/feed/. It declares no unrelated binaries, env vars, or config paths.
- Instruction Scope
- okSKILL.md confines the agent to reading the specified feed URL, extracting per-item title/link/description, and formatting results. It explicitly forbids inventing items or reading other sources. No instructions ask the agent to read local files, other env vars, or transmit data elsewhere.
- Install Mechanism
- okThere is no install spec and no code files (instruction-only), so nothing is written to disk or downloaded at install time—lowest risk install profile.
- Credentials
- okThe skill requires no credentials, environment variables, or config paths. Requested capabilities are proportionate to fetching a public RSS feed.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated privileges. Autonomous invocation is allowed (platform default) but the skill itself does not request increased persistence or modify other skills.