Skillv1.0.0

ClawScan security

MIXLAB Solo Scope（每日简报） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 18, 2026, 12:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent with its stated purpose (fetch an RSS feed, categorize entries, and produce short Markdown summaries); nothing requests unrelated credentials or risky installs, though there's a small metadata vs. instructions mismatch about curl.
Guidance: This skill appears to do exactly what it says: fetch the Solo Scope RSS and create categorized 140-character summaries in Markdown. Before installing, note two practical points: (1) SKILL.md uses curl but the skill metadata doesn't list any required binaries — make sure the runtime environment has curl (or adjust the instructions to use an available HTTP client). (2) The skill may write the generated Markdown into the project workspace; confirm you're comfortable with the agent creating files there. There are no requested credentials or installers and no evidence of unrelated data collection. If you want extra caution, run it once in a restricted workspace or manually fetch the feed and inspect results before enabling autonomous runs.

Review Dimensions

Purpose & Capability: noteThe name/description (generate briefings from the Solo Scope RSS) matches the SKILL.md instructions: fetching https://www.mixdao.world/feed, parsing items, grouping into 3–6 categories, and writing 140-character summaries. One minor inconsistency: the skill metadata lists no required binaries, but the SKILL.md explicitly uses curl to fetch the feed—environments lacking curl may fail. No unrelated services, credentials, or surprising capabilities are requested.
Instruction Scope: okRuntime instructions are narrowly scoped to fetching the specified RSS URL, parsing item title/link/description, categorizing, and producing Markdown output. The SKILL.md does mention writing output to project files or replying directly; this is expected for a summarization skill. It does not instruct collecting other system files, reading environment variables, or contacting endpoints beyond the declared RSS feed. (The agent could voluntarily follow links if given additional discretion, but the instructions do not request that.)
Install Mechanism: okThere is no install spec and no code files—this is instruction-only, which minimizes install risk. No downloads, packages, or extract operations are specified.
Credentials: okThe skill declares no required environment variables, credentials, or config paths, which is appropriate for an RSS summarizer. There are no requests for unrelated secrets or high-privilege access.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent platform privileges. The only persistence implied is optional writing of the generated Markdown into the project workspace, which is reasonable for this function but worth noting as a potential site of stored outputs.