Skillv1.2.1

ClawScan security

Trump Daily Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 2:39 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's required actions (news/search/fetch, generate bilingual reports, read/write a local memory folder) align with its stated purpose; no unrelated credentials, suspicious installs, or hidden endpoints were found, though it writes files locally and uses third‑party fetch proxies (r.jina.ai) which you should be aware of.
Guidance: This skill appears to do what it says: aggregate Trump-related social posts and media articles, pull market prices, and build bilingual reports. Key things to consider before installing: - File writes: the skill saves fetched pages and reports into a local memory directory (default ./memory/trump-daily). Ensure that directory is a safe place and has appropriate permissions. - Env var: the script honors TRUMP_DAILY_MEMORY_PATH if set — if you don't want it to read an arbitrary path, do not set that env var or set it to a controlled folder. - External fetches: the skill uses web_fetch/tavily_search and recommends falling back to r.jina.ai for zero-config scraping. That fetches third-party content and writes it locally; be aware of copyright/paywall implications and that fetched content originates from external services. - No credentials requested: the skill does not ask for API keys or tokens. If a later version requests unrelated credentials (AWS keys, banking tokens, etc.), treat that as a red flag. If you want additional assurance: run the included analyze_trends.py against a sandboxed copy of a memory folder first, and consider restricting the skill's network access (or auditing outgoing fetch targets) to limit exposure.

Review Dimensions

Purpose & Capability: okThe name/description match the behavior: instructions and the included script focus on collecting Trump-related posts and media coverage, querying market data, comparing with historical reports, and producing bilingual analysis. Required capabilities (web searches, web fetches, local memory reads/writes) are appropriate for the stated purpose.
Instruction Scope: noteSKILL.md explicitly instructs the agent to use tavily_search/tavily_extract/web_fetch and to save fetched HTML/text into a memory directory; it also includes python one-liners that fetch via r.jina.ai. This is within scope for news aggregation, but it gives the skill broad discretion to fetch arbitrary URLs and store their content locally — review that behavior if you want stricter limits. The instructions also require extracting market prices from specific sources (Kitco, OilPrice, EIA) which is coherent.
Install Mechanism: okNo install spec is present (instruction-only with a small helper script). Nothing is downloaded or installed by the skill itself, so there is low installation risk.
Credentials: noteThe skill declares no required environment variables, but the included script reads TRUMP_DAILY_MEMORY_PATH (and SKILL.md refers to a memory_path parameter). This is a minor inconsistency: the skill will respect a TRUMP_DAILY_MEMORY_PATH env var if present, otherwise it uses a default local ./memory/trump-daily path. No credentials or sensitive secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent platform-level privileges. It will write archival reports to a local memory directory (normal for a reporting skill); consider the filesystem location and permissions before installing.