ClawHub

newspaper-download-skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it handles import tokens in ways users should review carefully before installing.

Review before installing. Only use this if you trust pick-read.vip and understand that generated download links may function like credentials. Keep config.json private, avoid passing tokens directly on the command line, avoid sharing generated links in public chats or logs, and consider modifying the script to redact tokens, avoid saving sensitive results, and restore normal HTTPS verification.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill saves query results to disk by default, and those results can include issue metadata and tokenized download URLs. Persisting this data expands the exposure surface beyond the stated query/link retrieval behavior and can leak sensitive access URLs to other local users, logs, backups, or later processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells users to place an Import Token directly into config files and pass it on the CLI, but it does not warn that this token is a sensitive credential. That creates a real risk of accidental disclosure through checked-in config files, shell history, screenshots, logs, or shared transcripts, especially because the token grants access to PDF download links.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to read a local config file for `import_token` and then use that secret to generate user-facing download URLs, without informing the user that a credential will be accessed and propagated. This creates a clear secret-handling flaw: a local credential is transformed into a shareable artifact, increasing the chance of unintended disclosure, replay, and downstream leakage via logs, chat history, or link sharing.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to give the user a `download_url` containing `?token=imp-xxx`, which is a bearer secret in URL form. URLs are commonly exposed in browser history, referrers, terminal logs, telemetry, and chat transcripts, so returning them directly materially increases credential exposure risk.

Missing User Warnings

High
Confidence
99% confidence
Finding
The batch workflow multiplies the same problem by exposing many tokenized URLs at once, significantly increasing blast radius if the output is copied, logged, or forwarded. Bulk disclosure also makes automated abuse easier because a single response may leak access to multiple documents using the same credential.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code deliberately disables TLS certificate validation and hostname checking for HTTPS requests, which makes man-in-the-middle interception possible. Because this skill fetches issue metadata and constructs authenticated download URLs, an attacker on the network path could tamper with responses, redirect downloads, or capture sensitive tokens indirectly.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The saved result files may contain fully tokenized download URLs, which effectively embed credentials in plaintext on disk. Those files can be read by other local users, included in backups, or accidentally shared, enabling unauthorized PDF access as long as the token remains valid.

Ssd 3

High
Confidence
98% confidence
Finding
This is a direct secret-disclosure pattern: the agent is told to read a local config file containing `import_token` and then disclose token-bearing download URLs derived from that secret. The skill context makes this more dangerous, not less, because the tool's stated purpose is to retrieve downloadable PDFs, so the secret is operationalized into an immediately usable access token rather than remaining internal.

Ssd 3

High
Confidence
99% confidence
Finding
The skill repeatedly instructs the agent to extract and return `download_url` values that include the import token, normalizing repeated secret exfiltration as part of normal operation. Repetition across single-item, batch, and example workflows increases likelihood of accidental leakage and signals that the design lacks basic secret-segregation controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal