Back to skill
Skillv1.0.0
ClawScan security
Cinema Insider Top-10 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 4:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested actions, tools, and lack of credentials/install steps are consistent with its stated purpose of aggregating and analyzing industry news.
- Guidance
- This skill appears coherent and low-risk: it will fetch public RSS feeds and web pages and may capture media previews via the browser tool. Before installing, verify that you are comfortable with the agent making outbound web requests and downloading/previewing images from those sources, and confirm the listed feed URLs are ones you trust (some feeds listed use HTTP — consider switching to HTTPS where available). There are no credential requests, but if you have policy limits on the agent's web access or autonomous invocation, consider restricting those (or require user approval) to reduce accidental data exposure. Also be aware of copyright/licensing implications if you plan to redistribute captured media or quoted text.
Review Dimensions
- Purpose & Capability
- okThe name/description match the instructions: aggregating RSS feeds, deduplicating, cross-referencing and ranking news. The declared toolset (web_fetch, web_search, browser, LLM Reasoning) is appropriate for that goal and there are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md confines work to fetching/parsing curated RSS feeds, cross-checking via web_search, and optionally using the browser to capture visual previews. It does not instruct reading local files, environment secrets, or writing system configuration. Note: the browser and web tools will fetch external pages and media as part of normal operation.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk and no external packages are downloaded, which minimizes install risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The lack of secrets is proportionate to the described functionality.
- Persistence & Privilege
- okalways:false (no permanent inclusion). disable-model-invocation is false (agent can be invoked autonomously), which is the platform default; combined with web access this increases what the agent can do but is expected for a web-aggregation skill.