Skillv0.1.0

ClawScan security

Practical News Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 23, 2026, 9:05 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a straightforward news-monitoring script that fetches public news pages/APIs, parses items, and saves JSON/markdown reports locally; its requirements and behavior align with that purpose.
Guidance: This appears to be a benign, self-contained news-monitoring script, but before installing/running: 1) Review and update the source list in _init_sources() so it only queries trusted public endpoints; 2) Change DATA_DIR to a directory you control (avoid running as a privileged user); 3) Inspect the remainder of the Python file (the provided file was truncated in the manifest) to confirm there are no hidden network endpoints or telemetry; 4) Consider pinning the requests dependency (e.g., requests==2.x) and running in a virtualenv; 5) If you plan to run it regularly, run it in a restricted environment or sandbox and monitor its network activity. If you want, I can scan the rest of the file (the truncated portion) or highlight exact lines that write files or perform network requests.

Purpose & Capability: okThe name/description (news monitor for geopolitics, oil, gold) match the included Python script and SKILL.md. The code implements JSON API and HTML parsing sources, keyword matching, and local persistence — all expected for this functionality.
Instruction Scope: noteInstructions are limited to installing requests, running the Python script, editing keyword/source configuration, and reading/writing data in a local DATA_DIR. This is within scope. Note: the skill will perform network requests to whatever source URLs are configured and will write files to the user's filesystem (default: ~/shared_memory/practical_news). Users should review configured source URLs before running.
Install Mechanism: okNo install spec is provided (instruction-only + a code file). SKILL.md advises pip3 install requests — expected for the script. There is no remote download of arbitrary binaries or extract steps. The lack of pinned package versions is a minor maintenance/security note but not an incoherence.
Credentials: okThe skill requests no environment variables or credentials and does not reference system config paths beyond a user-writable data directory. This is proportional to a news-monitoring tool.
Persistence & Privilege: okThe skill is not always-enabled, does not request elevated privileges, and only persists its own data files in a configurable local directory. It does not modify other skills or agent-wide configuration in the provided files.