feed-diet
PassAudited by ClawScan on May 1, 2026.
Overview
Feed Diet appears to do what it claims—analyze HN/RSS reading habits—but it runs local scripts, may send feed item titles/URLs to LLM providers, and leaves fetched items in a local cache.
This skill is reasonable for auditing HN/RSS reading habits. Before installing, be aware that it runs shell scripts, fetches feed URLs, may classify feed metadata with an LLM provider, and keeps local cache files; use trusted OPML files and clear the cache if the feed data is private.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the skill will run shell scripts and contact Hacker News or RSS feed URLs based on the username or OPML file you provide.
The skill directs the agent to run included shell scripts and fetch external HN/RSS data. This is central to the stated purpose and user-directed, but it is still local command and network activity.
Run the appropriate fetch script: `bash "$SKILL_DIR/scripts/hn-fetch.sh" USERNAME 100` ... `bash "$SKILL_DIR/scripts/opml-parse.sh" /path/to/feeds.opml`
Use it with HN usernames and OPML files you intend to analyze; avoid feeding untrusted OPML files unless you are comfortable with the listed feed URLs being fetched.
The skill may fail or behave differently if these tools are missing, even though the registry requirements do not advertise them.
The README documents runtime dependencies and optional provider keys, while the registry metadata declares no required binaries or credentials. This is an under-declared metadata issue, not evidence of hidden installation behavior.
Requirements - `bash` 4+ - `curl` - `python3` ... Optional: `ANTHROPIC_API_KEY` or `OPENAI_API_KEY`
Before installing, ensure bash, curl, python3, and jq are available; the publisher should align registry requirements with the README.
If you set these API keys, the skill can consume your provider quota and send classification requests through your account.
The classifier can use optional Anthropic or OpenAI API keys for LLM classification. This is expected for the documented LLM feature, and the artifacts do not show the keys being logged or sent to unrelated endpoints.
-H "x-api-key: ${ANTHROPIC_API_KEY}" ... -H "Authorization: Bearer ${OPENAI_API_KEY}"Only set provider keys you intend this skill to use, and monitor provider usage if cost or quota matters.
Your feed item titles and URLs may be processed by an LLM provider during classification.
Feed item titles and URLs are batched into a prompt and may be sent to the OpenClaw LLM path or to Anthropic/OpenAI. This is purpose-aligned, but users should know reading metadata may leave the local machine.
PROMPT="...Items to classify:\n${BATCH_JSON}..." ... `openclaw llm --raw` ... `https://api.anthropic.com/v1/messages` ... `https://api.openai.com/v1/chat/completions`If feed privacy matters, review provider settings and consider using the keyword fallback; the publisher should clearly document that `openclaw llm` may be used before direct API-key fallback.
RSS item metadata from your OPML feeds may remain on disk in the skill cache.
Fetched OPML/RSS items are written to a cache file. This is a straightforward local cache, but it can retain a record of analyzed feed items after the report is generated.
CACHE_FILE="${CACHE_DIR}/opml_items.jsonl"
> "$CACHE_FILE"
...
echo "$ITEMS" >> "$CACHE_FILE"Clear the feed-diet cache after use if you do not want analyzed feed items retained locally.