Is hartlco/miniflux-news safe?

https://github.com/openclaw/skills/tree/main/skills/hartlco/miniflux-news

89
SAFE

miniflux-news is a well-scoped, stdlib-only Python script for querying a self-hosted Miniflux RSS reader. The skill contains no prompt injection, no hardcoded exfiltration endpoints, no supply-chain vectors, and all canary files remained intact post-install. The primary residual risks are second-order: untrusted article body text from RSS feeds can carry prompt injection payloads into LLM context, and the mark-read-category command's high default limit could cause unintended bulk state changes. The skill is safe to install for users who trust their Miniflux feed sources.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

LOW RSS Article Content Enables Second-Order Prompt Injection -13

The skill instructs the agent to fetch full article content via 'entry --full' and display it. Untrusted article body text (HTML or plain text from any RSS feed) is piped directly into agent context. A malicious feed author could embed adversarial instructions (e.g., 'Ignore previous instructions and...') inside article content, which the LLM may interpret as agent instructions rather than data.

LOW Executable Python Script with Shell Invocation Pattern -15

The skill ships an executable Python file (scripts/miniflux.py) and SKILL.md instructs the agent to run it directly via python3. While the code is clean stdlib-only, the pattern of an LLM-driven agent executing bundled scripts on demand is an inherent code execution surface. No malicious logic found in the script.

LOW mark-read-category Has High Default Limit with No Dry-Run -10

The mark-read-category subcommand defaults to --limit 500. A user saying 'mark Tech as read' could cause the agent to silently destroy read-state for up to 500 entries. The --confirm flag is required but the LLM may pass it autonomously without surfacing the scope to the user first.

INFO Reads Own Credential Config File — Expected Behavior -8

The script reads ~/.config/clawdbot/miniflux-news.json to obtain URL and API token. This is the skill's own declared credential store, properly scoped and documented. No access to any other credential files was observed from skill-related processes.

INFO User-Controlled MINIFLUX_URL Passed as HTTP Destination -8

All API calls use urllib.request.urlopen to MINIFLUX_URL. If a user is tricked into configuring a malicious URL, the agent will send the API token (X-Auth-Token header) to an attacker server. This is not a skill flaw but a user-configuration risk.

INFO Background System Network Traffic During Install Window -8

Connections to 185.125.188.57 and 185.125.190.18 (Canonical/Ubuntu infrastructure) were observed during the install window. These are consistent with pre-existing systemd/snap background update checks and are not attributable to the skill installation.