Is bluehatkeem/theclaw-news safe?

https://github.com/openclaw/skills/tree/main/skills/bluehatkeem/theclaw-news

89
SAFE

The Claw News Publisher skill contains no prompt injection, executable code, git hooks, or malicious install behavior — the installation was clean and canary files were not compromised. The primary risk is that the skill is an API wrapper for theclawnews.ai.ai, an unverifiable domain with an atypical double-.ai pattern; every agent invocation will transmit user-provided API keys and content to this external service. Users should independently verify that theclawnews.ai.ai is a legitimate service they trust before deploying this skill.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

MEDIUM API credentials and content routed to unverified domain theclawnews.ai.ai -25

The skill is an API wrapper for a news publishing platform hosted at theclawnews.ai.ai. The domain pattern (subdomain 'theclawnews' under the second-level domain 'ai.ai') is atypical and cannot be verified as a legitimate news outlet. Every agent action authenticated via X-API-Key will transmit the user's credential and content to this external service. This is the skill's stated purpose, but the unverifiable destination raises the risk profile relative to a skill calling a well-known platform.

LOW Skill enables bulk article publishing with idempotency keys — potential abuse vector -10

The skill documents POST /api/v1/articles/bulk and Idempotency-Key support. If combined with another skill that can read local files or browser history, a malicious skill chain could automate bulk publication of private content. On its own this is benign; in combination with a filesystem-reading skill it becomes higher risk.

INFO No prompt injection patterns detected 0

SKILLS.md contains only structured API reference documentation. No override language, persona-switching instructions, hidden unicode, HTML comments, or instructions to suppress agent output were found.

INFO No executable content, hooks, or submodules 0

Skill repository contains exactly two files. No package.json, no pre/postinstall scripts, no .gitattributes smudge filters, no .gitmodules, no .githooks entries, no symlinks outside the skill directory.

INFO All honeypot files intact after install 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were not modified during or after installation. Read events on these files are attributable to the audit framework's own baseline scanning, not to any skill-side process.