FreshRSS Reader
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once configured, the skill can authenticate to your FreshRSS instance and read headlines, feeds, categories, and article URLs available to that account.
The skill requires FreshRSS account credentials to authenticate. This is expected for querying a private FreshRSS instance, but users should recognize that the script can access their configured reader account.
export FRESHRSS_URL="https://your-freshrss-instance.com" export FRESHRSS_USER="your-username" export FRESHRSS_API_PASSWORD="your-api-password"
Use a FreshRSS API password rather than a reused account password, prefer HTTPS for FRESHRSS_URL, and revoke the API password if you stop using the skill.
An install UI or reviewer relying only on metadata may not see that the skill needs FreshRSS credentials and local helper execution.
The registry metadata does not declare the credential/environment requirements, and the source has no homepage. The SKILL.md and script do disclose the FreshRSS variables, so this is a metadata/provenance gap rather than hidden behavior.
Source: unknown; Homepage: none; Required env vars: none; Env var declarations: none; Primary credential: none
Review the included script before use, and the publisher should declare FRESHRSS_URL, FRESHRSS_USER, FRESHRSS_API_PASSWORD, and local tool dependencies in metadata.