Cctv News Fetcher 1.0.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says: run a local JavaScript crawler to fetch public CCTV news pages, with minor notes about outbound web access and package provenance.
This skill looks safe for its stated purpose if you are comfortable with it running an included JavaScript crawler and making outbound requests to CCTV/CNTV. Install dependencies from the lockfile where possible, and note that the package has minor provenance ambiguity but no artifact-backed evidence of credential use, persistence, file modification, or destructive actions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the included script locally when you ask it to fetch news.
The skill explicitly relies on running a bundled JavaScript file. This is purpose-aligned for a crawler, but users should recognize it executes local code.
Execute the script at `{baseDir}/scripts/news_crawler.js` using `bun` or `node`.Install only if you are comfortable running the included JavaScript under Node or Bun, and keep execution limited to user-requested news lookups.
The skill contacts external CCTV/CNTV web pages and summarizes the content they return.
The crawler makes outbound web requests to the CCTV page for the requested date and then to article links parsed from that page. This matches the news-fetching purpose and does not include local user data.
const response = await fetch(url); ... const pageResponse = await fetch(pageUrl, { headers });Use it only when outbound requests to CCTV/CNTV are acceptable, and treat fetched article text as untrusted source material for summarization.
The package identity is slightly inconsistent, so users have less provenance assurance than with a clearly linked source repository.
The packaged _meta.json owner/slug differ from the registry metadata shown for this submission, and the public source/homepage is not provided. This is a provenance note, not evidence of malicious behavior.
"ownerId": "kn7e8pavq30z0e9ys21svajh6580dk8q", "slug": "cctv-news-fetcher"
If provenance matters, verify the publisher and install dependencies using the provided package-lock.json rather than resolving unpinned versions.