Skillv0.1.1

ClawScan security

Multisource Intel Radar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 3:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a feed-ingest + keyword-digest tool, but the README promises non-RSS scraping (WeChat / Xiaohongshu browser search) and other behaviors that are not implemented in the included scripts, and it uses a hard-coded example local OPML path which could cause accidental reading of private files — review before running.
Guidance: Before installing or running: (1) Note that the code only implements OPML->feeds parsing and RSS/Atom fetching + scoring — WeChat/Xiaohongshu scraping and 'browser search' are described but not implemented; expect manual steps or additional tooling if you need those sources. (2) The SKILL.md default OPML path points to a personal home directory; check and sanitize your OPML (assets/feeds.txt) so you don't leak private feed URLs. (3) The scripts make outbound HTTP requests to up to 20 feeds (default) — review the feed list for unwanted domains and be mindful of rate limits and scraping legality for non-RSS platforms. (4) If you need automated XHS/WeChat ingestion, ask the author for details or a concrete, auditable implementation (including how credentials/session cookies are handled); avoid running opaque browser automation. (5) Run the scripts in a sandboxed environment first and inspect outputs (and feed URLs) before integrating into daily automation.

Review Dimensions

Purpose & Capability: noteThe name/description (multi-source radar across RSS/OPML + non-RSS sources) largely matches the included parsing and digest scripts which handle OPML -> feeds and RSS/Atom scoring. However the skill claims support for non-RSS sources (WeChat OA, Xiaohongshu) and browser search for XHS which are not implemented in the code; that capability mismatch is unexplained but could be intended as a manual step.
Instruction Scope: concernSKILL.md instructs parsing a user-specific OPML default (/Users/rogeryang/Downloads/follow.opml), running browser searches for Xiaohongshu, and using watchlist files for WeChat/XHS. The provided scripts only handle OPML parsing and RSS/Atom fetching/scoring — there is no code to perform browser searches, scrape WeChat/XHS, or integrate those watchlists. The default path may cause accidental exposure of local private feeds; the instructions also leave scraping/legal/credential details unspecified.
Install Mechanism: okNo install spec or remote downloads; included code files are plain Python scripts with standard library usage (urllib, xml.etree). No third-party packages or external installers are pulled in.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The scripts make outbound HTTP(S) requests to feed URLs but do not request secrets or access other system credentials.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not modify other skills or claim persistent system-wide privileges.