Back to skill
Skillv1.0.0
ClawScan security
BBC Vietnamese Trendy News · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 3:23 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (running a local Python script to fetch BBC Vietnamese RSS headlines); it requests no credentials and has no surprising installs or network destinations beyond the RSS feed.
- Guidance
- This skill is internally consistent: it runs a small Python script that fetches the BBC Vietnamese RSS feed and formats headlines. Before installing, confirm you are comfortable allowing the agent to execute local Python code and make outbound HTTP requests to the BBC RSS URL. Ensure the platform will correctly substitute {baseDir} and {path_to_conda_envs} placeholders or adjust the commands to your environment. Note the SKILL.md instructs the agent to treat the feed output as 'verified' — RSS content can be incomplete or wrong, so consider training the agent to caveat it appropriately when reporting breaking news. If you operate in a highly restricted environment, review the script contents and dependencies (requests, feedparser, BeautifulSoup) yourself before enabling execution.
Review Dimensions
- Purpose & Capability
- okName/description (fetch BBC Vietnamese headlines) align with included files and runtime needs: a small Python script plus requests/bs4/feedparser. Requiring python (and optionally conda to activate the environment) is reasonable for this implementation.
- Instruction Scope
- noteSKILL.md instructs the agent to run the bundled Python script and to install/activate a conda env. It references placeholders ({baseDir}, {path_to_conda_envs}) that must be resolved by the agent/platform; that is an implementation detail to verify. The instructions also tell the agent to treat the script output as 'verified' — this is a trust directive (not code-level exfiltration) and could lead the agent to overconfidently present feed content as authoritative.
- Install Mechanism
- okNo install spec; this is an instruction-only skill with bundled code and a requirements.txt. Nothing is downloaded from arbitrary URLs and no extract/run-from-remote steps are present.
- Credentials
- okOnly PYTHONIOENCODING=utf-8 and presence of conda/python binaries are required. No credentials, secrets, or unrelated environment variables are requested.
- Persistence & Privilege
- okalways is false, user-invocable true, and the skill does not request system-wide changes or modify other skills. It does not demand elevated persistence.