ClawHub

Designer Intelligence Station

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a news/reporting tool, but its local-only and no-login claims are undercut by optional social-media setup that uses browser cookies/logins and by report-sending examples with a fixed recipient.

Review before installing. Use a virtual environment, manually inspect the source list, and run it manually before enabling cron. Disable or avoid the Twitter/X and Xiaohongshu sources unless you intentionally want to provide cookies or logged-in sessions. Verify any message recipient before sending reports, and use a private output directory instead of /tmp for confidential material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"\n=== 安装缺失的依赖 ===\n")
    
    try:
        subprocess.run(
            [sys.executable, '-m', 'pip', 'install', '-r', 
             os.path.join(get_root_dir(), 'requirements.txt')],
            check=True
Confidence
91% confidence
Finding
subprocess.run( [sys.executable, '-m', 'pip', 'install', '-r', os.path.join(get_root_dir(), 'requirements.txt')], check=True )

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The guide explicitly instructs the agent to send the generated daily report and summary to an OpenIM group or user, which contradicts the skill metadata claim that all data is stored locally. This creates an undocumented outbound data flow that can leak collected content, derived analysis, and links to unintended recipients without clear user approval or scope restriction.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documented use of a message tool to transmit files to a hardcoded OpenIM target gives the skill an exfiltration path unrelated to merely collecting intelligence and producing local reports. A fixed recipient such as "group_713131094" increases risk because sensitive or proprietary summaries could be sent automatically to an external party without contextual authorization.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script writes aggregated data to /tmp/dis_daily, a shared world-accessible temporary location on many systems, which conflicts with the stated 'all data stored locally' expectation of skill-local storage. This can expose collected intelligence data to other local users/processes, enable tampering via symlink or race-style abuse, and weaken data isolation guarantees.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README instructs users to delete the SQLite database as a troubleshooting step without first requiring a backup or clearly warning that local data may be lost. In this skill's context, the database stores locally maintained intelligence sources, so following the instruction can destroy user-customized or accumulated data and cause operational disruption.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document describes automatic sending of generated reports but provides no warning that data will leave the local environment and no recipient verification step. In a skill advertised as local-only, silent transmission materially increases the chance of privacy breaches, accidental disclosure, and misuse of attached files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In non-interactive mode, the script defaults to `response = 'y'` and proceeds to install dependencies automatically. That means merely invoking the tool in automation or a piped environment can trigger package installation and package setup/build execution without explicit approval, increasing supply-chain and unexpected-code-execution risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.0
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
Confidence
97% confidence
Finding
feedparser>=6.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.0
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
python-dateutil>=2.8.2
Confidence
97% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.0
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
python-dateutil>=2.8.2
Confidence
96% confidence
Finding
beautifulsoup4>=4.11.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
feedparser>=6.0.0
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
python-dateutil>=2.8.2
Confidence
97% confidence
Finding
lxml>=4.9.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
beautifulsoup4>=4.11.0
lxml>=4.9.0
python-dateutil>=2.8.2
Confidence
95% confidence
Finding
python-dateutil>=2.8.2

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal