Back to skill
Skillv1.0.0
ClawScan security
每日新闻 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 4:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its description: it fetches news from https://api.cjiot.cc, requires only curl/node, requests no credentials, and does not perform unexpected actions.
- Guidance
- This skill appears coherent and minimal: it fetches news from the third‑party endpoint api.cjiot.cc using https. Before installing, consider whether you trust that external provider (requests will reveal what articles/dates users ask about and the agent's IP address); verify the API's availability and privacy/terms if that matters. If you require offline or self-hosted sources, this skill does not provide them. Otherwise the included Node scripts are simple and do not access local secrets or perform unexpected actions.
Review Dimensions
- Purpose & Capability
- okName/description claim to fetch daily news from an API; included scripts and SKILL.md call only https://api.cjiot.cc and implement list/detail retrieval, which is consistent with the stated purpose. Required binaries (node, curl) are reasonable for this functionality.
- Instruction Scope
- okRuntime instructions and the two Node scripts only perform HTTPS GET requests to api.cjiot.cc, parse JSON, and format output. They do not read local files, access unrelated environment variables, or transmit data to other endpoints. They require keeping a local context for list→detail navigation, which is documented.
- Install Mechanism
- okNo install spec is provided (instruction-only plus small included scripts). This minimizes risk—scripts are plain Node code using the built-in https module and are not downloaded from arbitrary URLs or archives.
- Credentials
- okThe skill lists no required environment variables or credentials. It does not request access to unrelated services or secrets. The absence of credentials is appropriate for a public-news API client.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but is not combined with elevated privileges or secret access.