Back to skill
Skillv1.0.0
ClawScan security
trump-trade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 10:38 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and runtime instructions are consistent with its stated purpose (an RSS-based Trump post watcher and educational market-analysis formatter); it asks for no credentials or installs and its behaviors are explainable, with a few minor notes for the user to consider before installing.
- Guidance
- This skill appears to do what it says: read a public RSS feed and produce educational market commentary. Before installing, check these practical items: (1) Verify you trust the feed source (https://www.trumpstruth.org) — the skill will fetch and display excerpts from it. (2) Confirm your agent platform supports the 'watch' usage pattern (periodic triggers and storing lastSeenId) and that you control scheduling/triggering to avoid unexpected repeated runs. (3) Note the default timezone (Asia/Hong_Kong) and change or document it if you need a different default. (4) The skill promises not to give buy/sell instructions, but review outputs in a sandbox to ensure they meet your compliance/political-content policies. If you require stricter limits, disable autonomous invocation or constrain the skill to user-invoked only.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the SKILL.md explicitly fetches the stated RSS feed, extracts items, scores and selects 2–5 items, and produces market-oriented analysis and Trump-style prose. There are no unrelated environment variables, binaries, or install steps requested.
- Instruction Scope
- noteInstructions stay within the declared purpose (fetch and parse https://www.trumpstruth.org/feed, format evidence, produce educational market scenarios). Two minor caveats: (1) Watch mode assumes the agent can be triggered periodically by an external scheduler and that conversation context can store lastSeenId — confirm your platform supports that. (2) The default timezone choice (Asia/Hong_Kong) is unusual; the skill will apply that when users omit a timezone.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded by the skill itself, which is the lowest-risk install posture.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The runtime instructions also do not request secrets, local files, or unrelated system config.
- Persistence & Privilege
- notealways:false and model invocation is allowed (default). Autonomous invocation is the platform default and not inherently concerning here, but if you plan to use Watch mode, ensure scheduling and context persistence are controlled by your platform and that the skill cannot be made to run more broadly than intended.