ClawHub

AI news generator

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill matches its stated purpose of posting a daily news digest to Discord, but users should control the Discord webhook and any recurring schedule carefully.

This appears safe for its intended purpose. Before installing, use a dedicated Discord webhook, keep the webhook URL private, verify the target channel and schedule, and consider previewing generated news in public or high-trust servers.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Low
What this means

Anyone or any scheduled task with the webhook URL can post messages to the Discord channel.

Why it was flagged

A Discord webhook URL is a bearer-style credential that allows posting to the configured Discord channel. This is expected for the skill, but users should recognize it as delegated posting authority.

Skill content
| **Webhook URL** | Set in scheduled task | ... --webhook "WEBHOOK_URL_HERE"
Recommendation

Use a dedicated Discord webhook for the intended channel, keep the URL private, and rotate or delete it if it is exposed.

#ASI02: Tool Misuse and Exploitation
Low
What this means

Incorrect, misleading, or unintended generated news content could be posted to the configured Discord channel.

Why it was flagged

The bundled helper sends the generated digest to the supplied webhook URL. This is the stated purpose, but it is still an external publishing action.

Skill content
urllib.request.Request(webhook_url, data=data, headers={"Content-Type": "application/json"}, method="POST")
Recommendation

For important or public channels, preview the digest and links before sending or use a low-risk dedicated channel.

#ASI10: Rogue Agents
Low
What this means

The Discord channel may receive automated daily posts without a human approving each individual digest.

Why it was flagged

The skill explicitly supports recurring automated posting. This is disclosed and purpose-aligned, but it creates ongoing activity after setup.

Skill content
This skill handles both one-off sends and recurring scheduled deliveries. ... **Schedule** | 8:00 AM daily
Recommendation

Confirm the schedule, topics, webhook target, and disable path before enabling recurring delivery.