Back to skill
Skillv1.0.0
ClawScan security
The Short News · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 10:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description, runtime instructions, and requirements are internally consistent: it is an instruction-only connector for theshort.ai that uses an API key and standard REST endpoints and does not request unrelated privileges or secrets.
- Guidance
- This skill appears coherent and limited to fetching curated news from theshort.ai. Before installing: (1) confirm you trust theshort.ai and the developer (billing/credit model is documented and calls deduct developer credits); (2) understand that an X-API-Key is required and should be managed via the OpenClaw dashboard (do not paste sensitive unrelated credentials into the skill); (3) verify the privacy/terms if you will transmit user data to get contextualized news; and (4) if you have concerns about autonomous agent actions, restrict or review agent permissions (the skill itself does not request broad system access). If you need higher assurance, ask the maintainer for a provenance link (repository or homepage) and verify the API domain and dashboard URLs are legitimate.
Review Dimensions
- Purpose & Capability
- okThe SKILL.md describes a news/search API (topics, tags, news list, news detail) and the instructions only reference theshort.ai endpoints and an X-API-Key for authentication. There are no unrelated credentials, binaries, or config paths requested, so the requested surface matches the stated purpose.
- Instruction Scope
- okThe instructions direct the agent to call specific HTTP endpoints on https://theshort.ai/api/external and to include an X-API-Key header. They do not instruct reading local files, other environment variables, or sending data to unrelated endpoints. The doc also documents credit costs and error behavior, which is appropriate for the API.
- Install Mechanism
- okThere is no install specification and no code files; this is instruction-only, which is the lowest-risk install mechanism (nothing is written to disk by the skill itself).
- Credentials
- okThe skill does not request environment variables or system credentials. Authentication is via an API key (X-API-Key) issued from the platform dashboard, which is proportional to a third-party API integration. Note: calls consume developer credits per the documentation.
- Persistence & Privilege
- okalways is false and there is no indication the skill modifies other skills or system-wide settings. The normal autonomous invocation behaviour is allowed by default but not combined with other concerning privileges.