follow-news@ 3.18.0
github.com/clawhub.ai/follow-news
Scanned Thu, 28 May 2026 16:05:48 GMT
Scan ID crawl-l3wslgudmlvtb0uxa8ttloqf · 10ms
F
SCORE 0 / 100
Verdict: Do not install
4 critical findings.
This skill exfiltrates environment secrets ($GITHUB_TOKEN) plus 5 other issues listed below.
4 critical1 high1 medium6 rules passed
Why grade F?
score · 0 / 100The current grade reflects 4 critical findings (any 2+ CRITs → F).
4 CRIT1 HIGH1 MED0 LOW
To reach a higher grade
- DReach Dtarget score 30
Resolve 3 of your 4 CRIT findings — any single CRIT still keeps you at D.
- CReach Ctarget score 55
Resolve all 4 CRIT findings.
- BReach Btarget score 75
Resolve all 4 CRIT.
- AReach Atarget score 95
Resolve all 4 CRIT + all 1 HIGH.
Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.
Findings · ordered by severity
critSkill references secret env var $GITHUB_TOKENThe skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $GITHUB_TOKEN
The skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
227- **Output**: Final merged JSON ready for report generation (~30s total)
228- **Metadata**: Saves per-step timing and counts to `*.meta.json`
229- **GitHub Auth**: Auto-generates GitHub App token if `$GITHUB_TOKEN` not set← references $GITHUB_TOKEN — potential credential leak
230- **Fallback**: If this fails, run individual scripts below
231
critSkill references secret env var $GITHUB_TOKENThe skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $GITHUB_TOKEN
The skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
266```
267- Parallel fetching (10 workers), 30s timeout
268- Auth priority: `$GITHUB_TOKEN` → GitHub App auto-generate → `gh` CLI → unauthenticated (60 req/hr)← references $GITHUB_TOKEN — potential credential leak
269
270
critSkill references secret env var $GITHUB_TOKENThe skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $GITHUB_TOKEN
The skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
649### Credential & File Access
650Scripts do **not** directly read `~/.config/`, `~/.ssh/`, or any credential files. API tokens used directly by the scripts are read from environment variables declared in the skill metadata. OpenCLI-backed Twitter/X and Xiaoyuzhou sources delegate authentication to the user's configured OpenCLI/browser session. The GitHub auth cascade is:
6511. `$GITHUB_TOKEN` env var (you control what to provide)← references $GITHUB_TOKEN — potential credential leak
6522. GitHub App token generation (only if you set `GH_APP_ID`, `GH_APP_INSTALL_ID`, and `GH_APP_KEY_FILE` — uses inline JWT signing via `openssl` CLI, no external scripts involved)
6533. `gh auth token` CLI (delegates to gh's own secure credential store)
critSkill references secret env var $GITHUB_TOKENThe skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.▾
Skill references secret env var $GITHUB_TOKEN
The skill instructions reference `$GITHUB_TOKEN`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
6544. Unauthenticated (60 req/hr, safe fallback)
655
656If you prefer no automatic credential discovery, simply set `$GITHUB_TOKEN` and the script will use it directly without attempting steps 2-3.← references $GITHUB_TOKEN — potential credential leak
657
658### Dependency Installation
highSensitive filesystem path referencedThe skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.▾
Sensitive filesystem path referenced
The skill references a path (`~\/\.ssh\/`) that contains credentials or system secrets. Reading this from an unsandboxed skill is a credential-exfiltration vector.
648
649### Credential & File Access
650Scripts do **not** directly read `~/.config/`, `~/.ssh/`, or any credential files. API tokens used directly by the scripts are read from environment variables declared in the skill metadata. OpenCLI-backed Twitter/X and Xiaoyuzhou sources delegate authentication to the user's configured OpenCLI/browser session. The GitHub auth cascade is:← sensitive path — credential-exfiltration vector
6511. `$GITHUB_TOKEN` env var (you control what to provide)
6522. GitHub App token generation (only if you set `GH_APP_ID`, `GH_APP_INSTALL_ID`, and `GH_APP_KEY_FILE` — uses inline JWT signing via `openssl` CLI, no external scripts involved)
medNo capability manifest declaredThe skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.rule: no-manifest▾
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule:
no-manifestskillox.io/r/crawl-l3wslgudmlvtb0uxa8ttloqf