Skillv1.0.0

ClawScan security

Feed Digest · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 13, 2026, 7:59 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions line up with its stated purpose (it runs a local 'feed' CLI to fetch, read, and mark feed entries), but you should verify the third-party Homebrew tap / Go package before installing.
Guidance: This skill is coherent with its description, but before installing: (1) inspect the Homebrew tap and GitHub repo (odysseus0/feed) to ensure you trust the author, (2) prefer installing in a controlled environment or sandbox if you have concerns, (3) be aware the tool will fetch remote feeds and modify your local feed database (it will mark items as read), and (4) if you subscribe to private authenticated feeds, understand the CLI may use stored credentials—verify how those are stored/used. If you don't trust the tap/repo, don't install the formula; consider running the CLI manually after reviewing its source.

Review Dimensions

Purpose & Capability: okName/description (feed digest) match the declared requirement of a single 'feed' CLI binary and the SKILL.md commands. No unrelated credentials, files, or binaries are requested.
Instruction Scope: noteInstructions are narrowly scoped to running the 'feed' CLI: fetch entries, read specific entries, triage and summarize, and mark entries read. This will read feed content and modify the local feed DB/state (marking items read); the skill does not request unrelated system files or environment variables. Be aware the agent will run network fetches and change local feed state.
Install Mechanism: concernInstall options are a third-party Homebrew tap (odysseus0/tap/feed) and a Go package from github.com/odysseus0/feed. Both are traceable but not an official core/homebrew formula — installing will build/run code from that author. Verify the tap/repo before installation because those install sources can execute arbitrary code on your machine.
Credentials: okNo environment variables or external credentials are requested by the skill definition. Note that the 'feed' CLI itself may access user feed configuration or credentials for private feeds (not declared here). The lack of requested credentials is consistent with a public-feed reader skill.
Persistence & Privilege: okSkill is not always-enabled and does not request system-wide privileges beyond installing/running the 'feed' binary. Runtime actions include marking items read in the local feed database (normal for this purpose). Installation will place a binary via Homebrew or Go tooling (expected behavior).