Skillv1.0.0

ClawScan security

ORF news · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 6:40 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with an RSS-aggregation/formatting purpose and do not ask for unrelated credentials, installs, or file access.
Guidance: This skill is coherent and low-risk: it will perform network requests to the three ORF RSS URLs and format items exactly as described. Before installing, confirm you are comfortable with the agent making HTTP requests to rss.orf.at (your agent's IP and request metadata will be visible to that site), and ensure your runtime provides the 'fetch' capability the instructions expect. If you do not want automatic network fetches, avoid enabling autonomous invocation for the agent or restrict network access.

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md only fetches three ORF RSS feeds and prescribes how to parse and present items. There are no unrelated required env vars, binaries, or config paths.
Instruction Scope: okInstructions are narrowly scoped to fetching the three ORF feeds, parsing <item> blocks, and formatting results. The SKILL.md does not instruct reading local files, other env vars, or sending data to third‑party endpoints beyond the listed feed URLs. It does require using the platform's 'fetch' tool to perform HTTP GETs (expected for an RSS skill).
Install Mechanism: okThis is an instruction-only skill with no install spec or code to download or write to disk, which minimizes installation risk.
Credentials: okNo credentials, secrets, or config paths are requested. The skill only needs network access to rss.orf.at, which aligns with its purpose.
Persistence & Privilege: okThe skill does not request always:true or elevated persistence and does not modify other skills or system settings. Autonomous invocation is allowed by default (normal) but not requested to be forced-on.