Follow News
PassAudited by ClawScan on May 12, 2026.
Overview
No malicious behavior is evident, but this instruction-only news skill references missing helper scripts and optional service credentials, so users should verify the source and credential scopes before use.
Before installing, confirm the referenced GitHub source and scripts match the version you intend to run, review those scripts because they were not included in this artifact, and use narrowly scoped provider credentials. Do not provide wallet seed phrases or unrelated account credentials for a news digest workflow.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may not work as installed, or a user may need to obtain unreviewed code from an external source to make it functional.
The skill relies on helper scripts such as run-pipeline.py, validate-config.py, and source fetchers, but the provided manifest lists only SKILL.md and no install spec/code files. That limits review of the actual runnable implementation.
Run `run-pipeline.py` first, then render with the requested template.
Use only a verified repository/version and review the referenced scripts before running them or giving them credentials.
If over-scoped or mishandled, these credentials could expose provider accounts or GitHub App access.
The skill discloses optional provider credentials for Twitter/X, search, and GitHub access. These are purpose-aligned for collecting news and rate-limit handling, but they are sensitive account credentials.
GETX_API_KEY ... X_BEARER_TOKEN ... TWITTERAPI_IO_KEY ... GITHUB_TOKEN ... GH_APP_KEY_FILE ... Path to GitHub App private key PEM file
Provide only the minimum read-only credentials needed, avoid broad GitHub tokens/private keys where possible, and rotate any key used with unreviewed helper scripts.
Running the skill may open or close browser tabs/windows and could use the active account context depending on the OpenCLI setup.
The skill may use OpenCLI/browser automation for X/Twitter collection. This is disclosed and aligned with KOL monitoring, but browser automation can interact with user sessions or browser windows.
OPENCLI_CLOSE_TABS_AFTER_RUN ... close OpenCLI-created X/Twitter tabs ... OPENCLI_CLOSE_CHROME_WINDOWS_AFTER_RUN ... close Chrome automation windows opened by OpenCLI on macOS
Run browser-backed collection in a dedicated browser profile/account and confirm what OpenCLI can access before using it.