Back to skill
Skillv1.2.8
ClawScan security
AI News Aggregator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 2:19 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, declared env vars, and runtime instructions are consistent with its described purpose (collecting news, summarising with an AI provider, and posting to Discord); only minor documentation/integration inconsistencies were found.
- Guidance
- This skill appears to do what it says: collect news, summarise via one chosen AI provider, and post to a Discord webhook. Before installing or running it: 1) Be prepared to provide a Discord webhook URL and (by default) your OpenAI API key — these are required for normal operation. Only supply optional service keys (Tavily, Twitter, YouTube, DeepSeek, Anthropic) if you need those sources. 2) The script will make outbound requests to AI provider endpoints and the listed news APIs and then POST to your Discord webhook — verify the webhook points to a channel you control (avoid using webhooks that forward to broad/audit-sensitive channels). 3) The skill uses 'uv' to run and install Python dependencies; follow the project's docs to install 'uv' rather than piping remote install scripts. 4) Minor documentation inconsistencies exist (duplicate OPENAI listing; DISCORD_WEBHOOK_URL_TRENDING used but not declared) — if these matter for your deployment, inspect or run the script in dry-run mode first. 5) If you do not trust the external AI endpoints or the Discord target, do not provide credentials or webhook. Overall the package is internally consistent with low surprise, but always review/try a dry-run before enabling in production.
Review Dimensions
- Purpose & Capability
- okName/description match what the package does: fetch RSS/Tavily/Twitter/YouTube, call one AI provider (OpenAI/DeepSeek/Anthropic), and post a formatted digest to a Discord webhook. The required primary credential (OPENAI_API_KEY by default) and DISCORD_WEBHOOK_URL are appropriate for that purpose.
- Instruction Scope
- noteSKILL.md and the script instruct the agent to run the bundled Python script (via 'uv run') which fetches remote feeds/APIs and posts to Discord. That is within scope. Minor issues: SKILL.md and code reference a DISCORD_WEBHOOK_URL_TRENDING env var (the script falls back to DISCORD_WEBHOOK_URL), and SKILL.md warns not to 'search the web manually' — the script itself performs HTTP requests to many endpoints (expected).
- Install Mechanism
- okNo install spec is provided and the skill is instruction-only with a bundled Python script. The script leverages 'uv' to run and install listed Python deps (PEP 723 header). Requiring 'uv' is reasonable here; no remote arbitrary download/install URLs or extract steps are present.
- Credentials
- noteRequested envs are proportional: DISCORD_WEBHOOK_URL (required) and OPENAI_API_KEY (primary) make sense. Optional keys (DEEPSEEK, ANTHROPIC, TAVILY, TWITTERAPI_IO, YOUTUBE) are reasonable for optional features. Minor inconsistencies: OPENAI_API_KEY appears both as primary and again under optionalEnv in SKILL.md, and DISCORD_WEBHOOK_URL_TRENDING is read by the script but not declared in requires.env.
- Persistence & Privilege
- okalways:false (default) and there is no install-time modification of other skills or global agent config. The skill does network I/O only when run; it does not request elevated or persistent platform privileges.