v1.2.0

Feed To Md

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:00 AM.

Analysis

The skill appears benign and purpose-aligned: it fetches a user-provided public RSS/Atom feed, converts it locally to Markdown, and only optionally writes a scoped .md file, though the feed text itself remains untrusted.

GuidanceThis skill is reasonable to install if you need RSS/Atom-to-Markdown conversion. Provide only feed URLs you intend to fetch, use workspace-relative .md output paths carefully, and review generated Markdown because the feed’s own text may contain misleading content.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/feed_to_md.py

feed_url = validate_feed_url(args.url) ... xml_bytes = fetch_xml(feed_url) ... output_path.write_text(markdown, encoding="utf-8")

The script fetches a user-provided feed URL and can write generated Markdown to a file. This is the intended function and is constrained by public-URL validation and workspace-relative .md path validation, but it is still outbound network and file-write authority.

User impactThe skill will contact the feed host and, if an output path is provided, create or overwrite a Markdown file in the workspace.

RecommendationUse feed URLs you intend to fetch, choose output paths carefully, and review the generated file before relying on it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

scripts/feed_to_md.py

summary = find_text(item, "content:encoded", content_ns) or find_text(item, "description") ... lines.append(summary) ... output_path.write_text(markdown, encoding="utf-8")

Text from the external feed is rendered into Markdown and may be saved for later use. That is purpose-aligned, but feed content is untrusted retrieved context.

User impactA feed item could include misleading text or instructions that appear in the Markdown and might influence an agent or reader later.

RecommendationTreat generated Markdown as untrusted source material; do not follow instructions inside feed content unless separately verified.