Back to skill
Skillv1.1.9
ClawScan security
News Market · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 2:18 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only RSS/web-scraping aggregator for China A-share related news whose code, declared requirements, and runtime instructions are consistent with its description and do not request secrets or elevated privileges.
- Guidance
- This skill appears coherent and low-risk: it fetches RSS feeds and scrapes news pages using a bundled Python script and requires no secrets. Things to consider before installing: (1) the skill uses third‑party RSS mirror domains (rss.injahow.cn, rss.shab.fun, rsshub-7x3pyolbs.vercel.app, etc.); if you care about supply-chain/trust, review or replace those mirror URLs with sources you trust or the official RSSHub. (2) The skill performs outbound HTTP(S) requests to listed sites — these will reveal your agent's IP and may be blocked by some sites; run it behind a proxy if needed. (3) Confirm the remainder of the script (the truncated portion in the provided file) contains no unexpected network endpoints or file I/O before granting broad autonomous invocation. (4) Scraping may violate some sites' terms of service; use responsibly. If you want extra assurance, run the script in a sandboxed environment and inspect the full source for any hidden endpoints.
Review Dimensions
- Purpose & Capability
- okName/description match the included Python script and SKILL.md: the skill aggregates RSS and webpage sources for China A-share / tech / securities news. There are no unrelated environment variables, binaries, or install steps requested.
- Instruction Scope
- noteInstructions and script focus on fetching RSS feeds and extracting links/content from configured sites. A noteworthy point: the skill defaults to third‑party RSSHub mirror domains (e.g. rss.injahow.cn, rss.shab.fun, a vercel.app host). The SKILL.md also suggests editing the script to change these mirrors. Otherwise the instructions do not attempt to read local files, environment secrets, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec (instruction-only) and the included script is pure Python standard library; nothing is downloaded or written by an install step.
- Credentials
- okNo required environment variables, credentials, or config paths are declared or used in the visible code. The script makes outbound HTTP(S) requests only to the listed news/RSS sources and mirrors.
- Persistence & Privilege
- okalways:false (default) and no indication the skill modifies other skills or system settings. The skill can be invoked autonomously by the agent (platform default) but it does not request permanent elevated presence.