News Aggregator Skill 0.1.0
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (unicode-control-chars); human review is required before treating this skill as clean.
This skill looks coherent for news aggregation. Before installing, make sure you trust the source, use a virtual environment or pinned dependencies if possible, and be comfortable with outbound requests to news sites and timestamped report files under `reports/`. When using deep fetch, treat article text as untrusted and ask for strict filters if you do not want keyword or time-window expansion. ClawScan detected prompt-injection indicators (unicode-control-chars), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Reports may include broader related topics or supplementary older news, not only the exact terms or time window the user asked for.
The skill explicitly tells the agent to broaden keywords and sometimes include older items beyond the user's requested time window. It also says to annotate these items, so this is disclosed rather than deceptive.
`MUST automatically expand the user's simple keywords` ... `Smart Fill`: `MUST include high-value/high-heat items from a wider range`
If you need exact matching, ask for strict keywords and a strict time window with no smart fill or expansion.
Using the skill may contact multiple public websites and fetch article pages from your environment.
The documented workflow runs a local Python helper and can perform a broad all-source deep fetch. This is expected for a news aggregator, but it does create outbound web activity.
`python3 scripts/fetch_news.py --source all --limit 15 --deep`
Use source and limit options when you want narrower network activity, and run it only when you are comfortable making external web requests.
Installing from a remote repo or unpinned Python dependencies could pull code that differs from what was reviewed if the source changes.
The setup guidance can install the skill from a remote repository and install Python dependencies. This is normal setup behavior, but it requires trust in the repository and dependency resolution.
`npx skills add https://github.com/cclank/news-aggregator-skill` ... `pip install -r requirements.txt`
Install from a trusted source, review the full helper script, prefer a virtual environment, and consider pinning dependency versions.
A fetched article could contain misleading or prompt-like text that should be summarized as content, not obeyed as instructions.
Deep fetch extracts text from external webpages and places it into the item content that the agent will analyze. The truncation limits size, but the text is still untrusted web content.
`text = soup.get_text(separator=' ', strip=True)` ... `return text[:3000]` ... `item['content'] = content`
Treat fetched webpage text as untrusted source material and avoid following any instructions embedded inside article content.