AI Daily Digest
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for generating an AI RSS digest, but users should notice that it uses and persists an AI API key and may auto-download the Bun runtime via npx.
Before installing, confirm you are comfortable providing an AI API key, storing the Gemini key in `~/.hn-daily-digest/config.json`, and allowing the skill to fetch public RSS feeds and call Gemini/OpenAI-compatible APIs. Consider deleting the saved config or rotating the key if you use it on a shared or untrusted machine.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Gemini API key may remain on disk after the digest runs and could be reused by future runs or exposed to anyone with access to that local file.
The skill asks for an AI provider API key, uses it as an environment variable, and stores it in a persistent local config file for reuse.
配置文件路径: `~/.hn-daily-digest/config.json` ... `"geminiApiKey": ""` ... `export GEMINI_API_KEY="<key>"`
Use a limited-scope API key if available, avoid sharing the config file, and delete `~/.hn-daily-digest/config.json` or rotate the key if you no longer trust the environment.
Running the skill may execute a runtime package downloaded at run time, which adds normal package-supply-chain risk.
The skill discloses that it runs the TypeScript script through `npx -y bun`, which may fetch the Bun runtime from the package ecosystem without a pinned version.
`npx -y bun ${SKILL_DIR}/scripts/digest.ts` ... `bun` 运行时(通过 `npx -y bun` 自动安装)If you want tighter control, install and pin Bun yourself from a trusted source, then adapt the command to use the local pinned runtime.