ETH24
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or spammy tweet/RSS item could try to steer the AI ranking or wording, leading to a misleading digest or draft.
The model prompt includes raw tweet and RSS content, which may contain untrusted text. This is central to ranking a social-media digest, but the generated JSON can be influenced by the input content.
RAW DATA:\n{context[:12000]}Review ranked.json, cli.txt, or thread.txt before publishing or relying on the digest.
Running tweet mode with Typefully credentials can create a draft in the connected social publishing account.
In tweet mode, the skill can send generated digest text to Typefully to create a draft. This is disclosed and purpose-aligned, but it is an account-modifying API action.
if social_set_id and typefully_key:\n posts = [{"text": text}]\n create_draft(social_set_id, posts)Use CLI mode for local previews, keep Typefully credentials scoped, and review drafts before publishing.
The skill can spend API quota and access the connected X/xAI/Anthropic/Typefully services according to the tokens provided.
The skill uses provider credentials for the expected crawl and ranking integrations. The registry metadata says no required env vars, so users should not miss these credential requirements.
XAI_API_KEY=... # xAI API key\nX_BEARER_TOKEN=... # X API v2 bearer token\nANTHROPIC_API_KEY=... # Anthropic API key
Use least-privilege, revocable API keys and monitor provider usage/costs.
Dependency behavior could change over time if installed without a lockfile or pinned versions.
The Python dependencies are not version-pinned. This is common for simple projects, but it means future installs may resolve different package versions.
feedparser\nPillow\nhttpx
Install in a virtual environment and consider pinning dependency versions before routine use.