daily-news

[Skill Scanner] Installation of third-party script detected No clear signs of malware or covert exfiltration in the provided skill description. The design is coherent with its purpose (news fetching, summarization, and publishing). However, it contains several high-risk operational behaviors: it modifies the user's ~/.claude.json to add an npx-based Browser MCP command, uses the user's browser login state to fetch authenticated content, and includes automated git/gh push steps that could publish data. These are legitimate for the stated functionality but require explicit, informed user consent and caution. Recommend making the ~/.claude.json modification optional with an explicit prompt, documenting exactly what data Browser MCP can access, and warning users before performing git pushes or running npx. LLM verification: The skill's documented behavior is functionally consistent with a news aggregator/summarizer and many actions are reasonable for that purpose (reading method configs, fetching feeds, storing results, generating summaries). However, there are notable security concerns: it executes arbitrary method code from a local directory, modifies a user config (~/.claude.json) to register a third-party 'browsermcp' command that will be invoked via npx (unversioned), and encourages use of the user's logged-in