FreshRSS Reader
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent FreshRSS reader, but it needs FreshRSS API credentials that are not declared in the registry metadata.
This appears safe for its stated FreshRSS-reading purpose if you trust the included script and configure it only with your own FreshRSS instance. Use HTTPS, provide a dedicated API password, and be aware that the metadata under-declares the needed credentials and local dependencies.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once configured, the skill can authenticate to your FreshRSS instance and read headlines, feeds, categories, and article URLs available to that account.
The skill requires FreshRSS account credentials to authenticate. This is expected for querying a private FreshRSS instance, but users should recognize that the script can access their configured reader account.
export FRESHRSS_URL="https://your-freshrss-instance.com" export FRESHRSS_USER="your-username" export FRESHRSS_API_PASSWORD="your-api-password"
Use a FreshRSS API password rather than a reused account password, prefer HTTPS for FRESHRSS_URL, and revoke the API password if you stop using the skill.
An install UI or reviewer relying only on metadata may not see that the skill needs FreshRSS credentials and local helper execution.
The registry metadata does not declare the credential/environment requirements, and the source has no homepage. The SKILL.md and script do disclose the FreshRSS variables, so this is a metadata/provenance gap rather than hidden behavior.
Source: unknown; Homepage: none; Required env vars: none; Env var declarations: none; Primary credential: none
Review the included script before use, and the publisher should declare FRESHRSS_URL, FRESHRSS_USER, FRESHRSS_API_PASSWORD, and local tool dependencies in metadata.