Feed To Md
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears benign and purpose-aligned: it fetches a user-provided public RSS/Atom feed, converts it locally to Markdown, and only optionally writes a scoped .md file, though the feed text itself remains untrusted.
This skill is reasonable to install if you need RSS/Atom-to-Markdown conversion. Provide only feed URLs you intend to fetch, use workspace-relative .md output paths carefully, and review generated Markdown because the feed’s own text may contain misleading content.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill will contact the feed host and, if an output path is provided, create or overwrite a Markdown file in the workspace.
The script fetches a user-provided feed URL and can write generated Markdown to a file. This is the intended function and is constrained by public-URL validation and workspace-relative .md path validation, but it is still outbound network and file-write authority.
feed_url = validate_feed_url(args.url) ... xml_bytes = fetch_xml(feed_url) ... output_path.write_text(markdown, encoding="utf-8")
Use feed URLs you intend to fetch, choose output paths carefully, and review the generated file before relying on it.
A feed item could include misleading text or instructions that appear in the Markdown and might influence an agent or reader later.
Text from the external feed is rendered into Markdown and may be saved for later use. That is purpose-aligned, but feed content is untrusted retrieved context.
summary = find_text(item, "content:encoded", content_ns) or find_text(item, "description") ... lines.append(summary) ... output_path.write_text(markdown, encoding="utf-8")
Treat generated Markdown as untrusted source material; do not follow instructions inside feed content unless separately verified.