newsnow
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a purpose-aligned news-fetching skill, with only normal caution needed around the external npm/npx CLI and an optional Product Hunt API token.
This skill appears safe for its stated purpose of fetching news, but before installing or invoking it, verify the npm/newsnow package you will run and only provide a narrowly scoped Product Hunt token if you need that source.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill may execute an installed or npm-fetched CLI package, so the trustworthiness of that package matters.
The skill discloses that it depends on an external npm/npx CLI rather than bundled reviewed code; this is expected for a CLI skill, but the artifact does not pin or identify the package provenance.
Requires npm install... allowed-tools:\n - Bash(newsnow *)\n - Bash(npx newsnow *)
Install or run only a verified newsnow package, prefer a pinned version, and review the package source or publisher before use.
If you use the Product Hunt source, the CLI may access Product Hunt using your API token.
The skill documents an optional service API token for one source. This is purpose-aligned, but it is still credential material.
`PRODUCTHUNT_API_TOKEN` - Required for `producthunt` source
Use a token with the minimum necessary scope and avoid exposing it in shared shells, logs, or transcripts.