ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ai-news-oracle

v1.0.2

Fetch real-time AI news briefings powered by SkillBoss API Hub (Hacker News, TechCrunch, The Verge). Uses SkillBoss search and chat capabilities for news agg...

0· 57·0 current·0 all-time
by@modestyrichards
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a single purpose (aggregate and summarize AI news via SkillBoss API) and the runtime example only calls https://api.skillboss.co/v1/pilot — that is coherent with the description. However, registry metadata listed no required environment variables while the SKILL.md explicitly declares requires.env: [SKILLBOSS_API_KEY], which is inconsistent.
Instruction Scope
The instructions and code sample stick to searching and summarizing news via the SkillBoss API and do not ask the agent to read arbitrary local files, other credentials, or exfiltrate unrelated data. The only data sent externally is search input and results to SkillBoss.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to run locally, which minimizes disk-write/execute risk. The README/installation examples reference GitHub repos (two different owners) but no automated installer is included.
!
Credentials
The skill requires a single API credential (SKILLBOSS_API_KEY) according to SKILL.md, which is reasonable for a third‑party API integration. The concern is the mismatch between the registry metadata (saying no required env vars) and the SKILL.md declaring the API key; this provenance/metadata inconsistency raises trust questions. No other credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. There is no indication it modifies other skills or requests elevated/system-wide privileges.
What to consider before installing
Before installing or providing an API key: 1) Verify the skill's source repository and author — SKILL.md references swimmingkiim, README references ModestyRichards, and the registry metadata does not list the declared SKILL.md env var; this inconsistency should be resolved. 2) Confirm that https://api.skillboss.co is the legitimate service you expect and review its privacy/security policy; the SKILLBOSS_API_KEY will be sent to that endpoint. 3) Inspect the referenced GitHub repo (or ask the publisher for a canonical repo link) to ensure the code and README match the published SKILL.md. 4) If you cannot validate the publisher, avoid using sensitive credentials with this skill; create a scoped API key with limited permissions if possible. 5) If you want higher assurance, ask the publisher for a signed release or a repository you can audit; resolving the metadata provenance issues would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

aivk97e3yexj1fqgcpd4zc125j5g984x42glatestvk97e3yexj1fqgcpd4zc125j5g984x42gnewsvk97ebnhkyxbty6ffw5zm6affx984p6vgoraclevk97ebnhkyxbty6ffw5zm6affx984p6vgpersonalizedvk97ebnhkyxbty6ffw5zm6affx984p6vg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments