ClawHub

Fomo News

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a legitimate news and GitHub aggregation skill; the main cautions are optional GitHub token use and limited provenance metadata.

This skill looks reasonable for fetching public news and GitHub trends. Expect it to contact GitHub, Google News, RSS feeds, and blog feeds. You can run it without a GitHub token; if you set GITHUB_TOKEN, use the least privilege possible. Because the source metadata is limited and the displayed script content was truncated in the review context, inspect the current files before installing or running.

Static analysis

Env credential access

Critical
Finding
Environment variable access combined with network send.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Low
What this means

If GITHUB_TOKEN is set, this skill will use it when calling GitHub. A broadly scoped token is unnecessary for public repository search and increases potential impact if mishandled.

Why it was flagged

The script automatically uses a GITHUB_TOKEN from the environment as a GitHub Bearer token. This is purpose-aligned for GitHub API rate limits, but it is still credential use.

Skill content
if (process.env.GITHUB_TOKEN) headers["Authorization"] = `Bearer ${process.env.GITHUB_TOKEN}`;
Recommendation

Run without a token unless you need higher GitHub rate limits. If you use one, prefer a fine-grained or low-scope token and avoid pasting secrets into chat or command examples.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Users have less information to confirm who maintains the skill or whether the packaged code matches an upstream project.

Why it was flagged

The registry metadata does not identify a source repository or homepage, which limits independent provenance verification before running the included Node script.

Skill content
Source: unknown
Homepage: none
Recommendation

Inspect the provided files before installing or running, and prefer versions with clear source and maintainer provenance when available.