Back to skill
Skillv1.0.0
ClawScan security
news-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 4:40 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose of fetching news from https://api.cjiot.cc and do not request unrelated privileges or secrets.
- Guidance
- This skill fetches news from the third‑party host api.cjiot.cc and appears to do only that. Before installing, consider: (1) trustworthiness and privacy policy of api.cjiot.cc (requests will contact that external server); (2) API rate limits noted in SKILL.md; (3) running the included Node scripts locally to inspect behavior yourself (they use HTTPS and parse JSON); and (4) sandboxing the skill if you want to limit network access. No credentials are requested by the skill.
Review Dimensions
- Purpose & Capability
- okName/description describe fetching daily news from api.cjiot.cc; the included Node scripts and SKILL.md call that same API. Required binaries list 'node' (used to run the scripts) and 'curl' (used in SKILL.md examples), so overall requirements match the described functionality. Minor note: the shipped scripts use Node's https module rather than invoking curl, but curl is only used in documentation/examples.
- Instruction Scope
- okSKILL.md instructs only to call the documented api.cjiot.cc endpoints, parse results, strip HTML, sort and display items, and keep context for subsequent detail requests. It does not instruct reading local secrets, other files, or transmitting data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only with two small scripts). No downloads, third‑party package installs, or archive extraction are performed by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The Node scripts make HTTPS requests to the single API host and do not access environment secrets or unrelated services.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system-wide configs, and contains no code that persists credentials or forces permanent presence.