v2026.4.16

naver-news-briefing

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:18 AM.

Analysis

The skill appears to match its stated Naver News briefing purpose, but users should notice that it stores Naver API credentials and local monitoring settings.

GuidanceThis looks purpose-aligned for Naver News search and monitoring. Before installing, be comfortable storing Naver API credentials in the skill's local data directory and saving persistent watch/group rules. Review any generated cron or OpenClaw systemEvent text before enabling scheduled runs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityInfoConfidenceHighStatusNote

SKILL.md

`integration-plan` returns a more practical operator bundle: save command, run command, schedule object, cron line, OpenClaw-friendly systemEvent text

The skill can generate recurring-monitoring instructions and scheduler-ready text. The artifacts frame this as operator guidance and explicitly describe saved plans rather than hidden autonomous execution.

User impactIf the user copies the generated cron/systemEvent guidance, news checks may run repeatedly on the chosen schedule.

RecommendationOnly install scheduled jobs after reviewing the generated command, cadence, output destination, and how to disable or remove the schedule.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The registry metadata does not provide strong provenance or setup declarations, even though the package includes executable Python scripts. The included artifacts are coherent, so this is a review note rather than a concern.

User impactUsers have less registry-level provenance and dependency information to rely on before running the included scripts.

RecommendationPrefer installing from a trusted registry entry or verify the referenced project/source before use; review the local scripts and dependencies before running setup.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

credentials are stored in `data/config.json` and use DPAPI-backed secret storage on Windows when possible

The skill requires and stores Naver Search API credentials. This is expected for the integration, but it is sensitive account material that affects the user's API access and quota.

User impactAnyone with access to the stored config may be able to use the user's Naver Search API credentials, especially on non-Windows systems where DPAPI protection is not available.

RecommendationUse dedicated Naver API credentials for this skill, protect the data directory, avoid sharing config files, and rotate the credentials if the machine or files are exposed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Preserve operator-facing metadata on saved watch/group entries: `label`, `tags`, `template`, `schedule`, `operator_hints`, and original request context.

The skill intentionally keeps persistent local watch/group state and original request context, which can influence later briefings or reveal the user's monitoring interests.

User impactSaved queries, labels, tags, schedules, and request context may persist across sessions and be reused in future news checks.

RecommendationReview saved watch and group entries periodically, avoid putting private details in labels/context, and remove rules or groups that are no longer needed.