Is ddrayne/bbc-news safe?

https://github.com/openclaw/skills/tree/main/skills/ddrayne/bbc-news

93
SAFE

The BBC News skill is a straightforward Python RSS reader that fetches headlines from feeds.bbci.co.uk using the feedparser library. Code review, filesystem monitoring, canary integrity checks, and network analysis all confirm the skill behaves exactly as documented with no prompt injection, no credential access, no exfiltration, and no unexpected behavior at install or runtime. The only minor concerns are the lack of a pinned feedparser version and the expected outbound HTTP traffic to BBC servers on agent invocation.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 94/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (3)

LOW Executable Python script with no version-pinned dependency -5

The skill's core functionality depends on running scripts/bbc_news.py and installing feedparser via pip without a pinned version or hash. While feedparser is a well-established library, unpinned pip dependencies carry supply-chain risk if the upstream package were ever compromised.

INFO Outbound connections to BBC RSS on agent invocation -6

Every time the agent uses this skill it will make HTTPS requests to feeds.bbci.co.uk. This is expected and documented behavior, not malicious, but means the skill produces outbound network traffic.

INFO SKILL.md frontmatter accurately describes skill scope -3

The description field correctly and narrowly characterizes the skill as a BBC RSS fetcher. No attempts to expand agent permissions, redefine the agent's role, or chain with unrelated capabilities.