Trending News Aggregator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed news aggregation skill that uses public web search, local configuration, and optional scheduled push delivery without hidden or destructive behavior.

Install if you want an agent to search the web for trending news and optionally send scheduled digests. Before enabling automation, verify the push channel, recipient, and schedule, and run it on an up-to-date OpenClaw version.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The documented trigger phrase '获取今日热点新闻' is broad and resembles a natural user request, which increases the chance of accidental invocation during ordinary conversation. In a news aggregation skill this is not directly a code-execution or data-exfiltration issue, but it can still cause unintended actions such as unnecessary network access, scheduled behavior, or noisy responses.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manual trigger phrase “获取今日热点新闻” is a common natural-language request that overlaps with ordinary user conversation. If the platform uses phrase-based or example-based routing, this can cause unintended invocation of the skill when a user is merely asking for news, leading to surprise tool use, unnecessary web queries, or accidental scheduled actions in adjacent flows.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The example user request “今天有什么热点新闻？” is extremely generic and indistinguishable from a normal assistant query. In systems that learn activation behavior from examples, this broad phrasing increases the risk that the skill is auto-invoked unexpectedly, causing unintended browsing or bypassing normal agent routing expectations.

Vague Triggers

Low

Confidence: 82% confidence
Finding: The scheduling example “每天早上9点给我推送新闻” is a broad conversational request that could map to many automation or reminder capabilities, not just this skill. In a skill ecosystem, ambiguous scheduling language can trigger unintended setup flows or cause the wrong skill to claim the request.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal