ClawHub

Intelligence Suite

v1.0.3

Makima's All-Seeing Intelligence Suite. Combines real-time AI news tracking and global news monitoring for a comprehensive strategic briefing.

3· 3.5k·8 current·9 all-time
by@xhrisfu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description and required binaries (node/npm) match the included JS scripts and dependencies. HOWEVER the skill declares a constrained network permission set in SKILL.md (specific hosts) while the included scripts will request arbitrary item.link URLs (not constrained) — e.g., Hacker News items may point to any domain. Requesting broad network access would be reasonable for a news-scraper; declaring only a small allowlist but not enforcing it is incoherent.
!
Instruction Scope
The runtime instructions and scripts perform deep scraping of article pages (fetchContent) and will attempt to visit each item's link. The code does not restrict fetchContent to the declared hosts and will fetch arbitrary external URLs (HN links in scan.js), which increases the surface for contacting unexpected endpoints and retrieving unpredictable content. The SKILL.md mentions filesystem read permission but the scripts do not read local files — another minor mismatch.
Install Mechanism
No install spec in the registry; instructions use 'npm install' and package.json lists standard dependencies (axios, cheerio, rss-parser). Dependencies and the lack of opaque downloads are consistent with purpose and low install risk.
Credentials
No environment variables or credentials are requested. The skill does not attempt to access cloud keys or local secrets in code. This is proportionate to a news-scraping tool.
Persistence & Privilege
always is false and the skill does not request elevated/persistent platform privileges. It only runs scripts that perform network fetches and console output; it does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a straightforward news-scraper, but there is a meaningful mismatch: the code will follow and fetch arbitrary article links (especially from Hacker News), while the skill's metadata lists a small set of allowed hosts. That means it can contact domains not listed in SKILL.md — increasing risk (unexpected network calls, external content, potential to query internal addresses if the runtime isn't sandboxed). Before installing: (1) run it in an isolated/sandboxed environment or container, (2) confirm the agent runtime/network policy (will the agent actually allow outbound calls to arbitrary domains?), (3) ask the maintainer to enforce domain filtering in code (only fetch hosts from a vetted allowlist), and (4) review logs/output for any unexpected endpoints. If you need high assurance, request the maintainer add explicit host filtering and/or limit Hacker News scraping to safe domains or remove HN feed entirely.

Like a lobster shell, security has layers — review code before you run it.

intelligencevk97116k3dq93zvgh15njwtw38580n7a6latestvk97a1yaqnp9f4x2jtjthf70ann8128ynmakimavk97116k3dq93zvgh15njwtw38580n7a6newsvk97116k3dq93zvgh15njwtw38580n7a6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📡 Clawdis
Binsnode, npm

Comments