ClawHub

Ai News Brief

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed AI-news scraping and reporting skill with optional email and LLM features, but users should review the browser automation and external sharing settings before enabling them.

Install only if you are comfortable with a skill that opens or connects to Chrome, scrapes multiple public news sites, and stores local history. Leave LLM and email options disabled unless you have reviewed the API URL, API key, SMTP credentials, recipients, and what report or article content will be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents capabilities for network access, local file reads/writes, and shell-like installation/cron commands, but does not declare permissions or present a clear trust boundary for those operations. In an agent environment, undeclared powerful capabilities reduce user awareness and consent, making it easier for the skill to access local config, persist data, install dependencies, and transmit content externally without an explicit permission model.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior substantially exceeds the headline description by adding policy scraping, local persistence, user-profile customization, external LLM summarization, translation hooks, and scoring/filtering logic. This mismatch undermines informed consent because users may enable a 'news brief' skill without realizing it stores histories, processes preference data, and may send article content to third parties.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script starts Chrome with the DevTools remote debugging interface enabled and then drives it over WebSocket. Exposing CDP on a local port creates a powerful browser-control surface that can be abused by other local processes, and the skill context explicitly uses browser automation to bypass anti-bot protections, making the behavior more security-sensitive than ordinary news fetching.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad terms such as 'AI新闻' and '科技资讯', which can overlap with ordinary conversation and cause the skill to activate unexpectedly. Unexpected activation is risky here because the skill can perform network scraping, browser automation, file writes, and potentially external transmissions, amplifying the consequence of a false trigger.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill offers optional LLM summarization via third-party providers but does not clearly warn that article contents, prompts, and potentially metadata may be transmitted to external services. Even if the content is scraped from public sites, outbound transmission creates privacy, compliance, and data-governance risk that users should understand before enabling the feature.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The email feature sends generated reports and recipient information through external SMTP infrastructure, yet the documentation does not clearly frame this as external data sharing with associated privacy and security implications. Users may not appreciate that reports, email addresses, sender credentials, and metadata transit third-party mail servers and may be stored or logged outside the local environment.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script can transmit collected news content and generated attachments to configured email recipients automatically once SMTP and recipient settings are enabled, without any explicit confirmation, allowlist enforcement, or warning at send time. In this skill context, the data is likely low sensitivity public content, which reduces severity, but automatic outbound delivery still creates a data-exfiltration and privacy risk if the configuration is tampered with or misconfigured.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently launches a browser with remote debugging and writes browser state to a user-specific data directory without a clear warning or opt-in. Even though the profile path is separate, this can persist cookies, session artifacts, and browsing traces, and users are not meaningfully informed that browser automation and local state creation will occur.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code transmits article title and content to a third-party LLM API via `requests.post`, but there is no in-function consent check, redaction, allowlist, or clear user-facing notice at the point of transmission. In this skill context, scraped news content may include unpublished, licensed, or sensitive material from user-selected sources, so silent external transmission creates a real privacy/compliance risk even if it is functionally intended.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module persistently stores fetched article history to disk without any visible user disclosure, consent flow, retention notice, or protection controls. While the stored data is not highly sensitive by itself, local persistence can still expose usage patterns, source interests, and timestamps to other local users, backup systems, or unintended consumers, especially in shared or managed environments.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal