Skillv1.0.1

ClawScan security

Hacker News Daily · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 26, 2026, 3:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (fetching and filtering Hacker News stories); it makes outbound HTTP requests, caches results to ~/.cache/hn-daily, and respects standard proxy environment variables — nothing in the bundle requests unrelated secrets or elevated privileges.
Guidance: This skill appears to do only what it claims: make HTTP requests to the Hacker News API, filter results, and cache them locally. Before installing or running: 1) be aware it makes outbound network requests (ensure your environment permits this). 2) It respects HTTP_PROXY/HTTPS_PROXY/ALL_PROXY — if you use a proxy, that proxy will see the requests and responses. 3) It writes a cache file to ~/.cache/hn-daily/hn_cache.json (contains story data only); remove it if you don't want local caches. 4) The script uses the Python 'requests' library — install it in a controlled environment (virtualenv) if you're cautious. 5) The script prints story URLs (which may link to arbitrary external sites) — treat links as you normally would. If you need higher assurance, run the script in an isolated environment (container) or review/execute the Python file yourself before granting the skill access.

Review Dimensions

Purpose & Capability: okName/description (HN top stories, keyword filtering, caching) lines up with the included Python script and reference file which call the official Hacker News Firebase API and implement filtering/caching. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope: noteSKILL.md instructs running scripts/fetch_hn.py and documents use of HTTP_PROXY/HTTPS_PROXY which the script reads. The script only performs HTTP requests to the Hacker News API, filters results, and writes a cache file. It does not read arbitrary user files or attempt to transmit data to unknown endpoints, but it does write cached output to ~/.cache/hn-daily/hn_cache.json (expected for caching).
Install Mechanism: okThis is an instruction-only skill with a small included script and no install spec. No downloads or third-party installation steps are declared. The script depends on the Python 'requests' library but does not attempt to install it.
Credentials: noteNo required environment variables or credentials are declared. The script reads standard proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) described in SKILL.md — these are reasonable for networked tools but are environment inputs beyond the declared requires.env (which is empty). There are no secrets requested or stored.
Persistence & Privilege: okThe skill does not request permanent platform presence (always:false) and does not modify other skills or system-wide settings. Its only persistent footprint is a cache file under the user's home directory (~/.cache/hn-daily/hn_cache.json).