Skillv1.0.0

ClawScan security

Cctv News Fetcher Hardened · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 1:40 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill’s code, runtime instructions, and declared requirements are coherent with its stated purpose (crawling/parsing CCTV news); it does not request extra credentials or unusual install channels, but you should still install dependencies and run it in a controlled environment.
Guidance: This skill appears coherent with its purpose, but before installing or using it: (1) ensure your environment has a compatible Node or Bun runtime and manually install dependencies (bun install / npm install) rather than asking the agent to run package managers, per the shipped guardrails; (2) run the crawler in a network-controlled or sandboxed environment if you have strict egress policies (it performs HTTP fetches and follows article links discovered on listing pages); (3) review and, if desired, remove or replace the hard-coded Cookie/header values in the script; (4) be aware the agent must obey the SKILL.md guardrails — do not permit it to fetch arbitrary external URLs discovered in article content or to execute commands beyond bun/node news_crawler.js <date>.

Review Dimensions

Purpose & Capability: okThe name/description match the included JS crawler and the SKILL.md instructions. The skill requires only Node/Bun and node-html-parser (declared in package.json); no unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md limits the agent to running the provided script and to summarizing its JSON output, which is appropriate. The bundled script itself performs HTTP fetches of listing pages and then follows article links discovered on those pages (expected for a crawler). The SKILL.md also includes guardrails forbidding following arbitrary embedded URLs in crawled article content — that guardrail is sensible and should be respected by the agent when presenting or handling extracted content.
Install Mechanism: okNo install spec is provided (instruction-only plus code file). All dependencies are standard npm packages referenced in package.json/package-lock.json. No downloads from untrusted ad-hoc URLs or archive extraction are present.
Credentials: okThe skill requires no environment variables or secrets. The code contains a hard-coded Cookie and header values (non-secret), which is unusual but not a credential request. No disproportionate credential access is requested.
Persistence & Privilege: okalways is false and the skill does not request persistent elevated privileges or modify other skills or system-wide settings. Autonomous invocation is allowed (platform default), but that is not combined with other concerning privileges.