Skillv1.0.0

ClawScan security

Podcast Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 1:53 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested resources are consistent with a podcast RSS feed manager that stores local tracking files; no unrelated credentials or install steps are requested, but a small network-redirect/time-of-check risk in the feed probe implementation should be reviewed before trusting it in sensitive environments.
Guidance: This skill appears to do what it says: fetch public RSS/Atom feeds, summarize episodes, and store minimal local tracking files. Things to consider before installing or enabling it for autonomous use: - Review the bundled scripts (scripts/feed_probe.py) and, if possible, run them in a sandbox before giving the agent network access. The script includes several good protections (size limit, blocking DOCTYPE/ENTITY, DNS-based private-IP checks), but it performs DNS resolution once before the HTTP request and does not re-validate the final IP after redirects. A malicious or misconfigured feed server could issue a redirect to a private/internal address, potentially enabling SSRF. Ask the maintainer to either block redirects or validate the final resolved IP after redirects. - The skill will fetch arbitrary HTTP/HTTPS URLs and create files under memory/podcasts. If you run agents in an environment with sensitive internal services, consider restricting outbound network access or running the agent in a network-isolated environment. - Because the skill writes local files, back up any important data you keep under the memory directory and ensure file permissions are appropriate. - If you need stronger guarantees, request or implement an additional check that validates the final request target (post-redirect) and/or enforces no-redirect behavior when probing feeds. Overall the package is coherent and minimal, but review the redirect/SSRF edge case and run the bundled probe in a controlled environment if you have sensitive internal resources.

Review Dimensions

Purpose & Capability: okName and description (subscribe, track, summarize podcasts via public RSS) match the included instructions and the feed_probe helper. No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md restricts behavior to discovering/parsing public feeds and persisting local files under memory/podcasts; it warns against auto-subscribing and exposing private local paths. The included feed_probe.py implements safe parsing, size limits, and blocks private IP ranges. However, the probe resolves DNS before fetching and does not re-check the network location after redirects, which could allow a server to redirect to an internal address (redirect-based SSRF / TOCTOU). The SKILL.md does not explicitly require using the bundled script, so runtime behavior depends on how the agent is implemented.
Install Mechanism: okNo install spec; this is an instruction-only skill with a small bundled Python utility. Nothing is downloaded from external URLs during install and no system-wide changes are requested.
Credentials: okNo environment variables, credentials, or config paths are required. The skill operates on public feeds and local workspace files only, which is proportionate to its stated function.
Persistence & Privilege: okalways is false and the skill only writes/reads its own workspace files (memory/podcasts). It does not request persistent platform privileges or claim to modify other skills' configs.