ClawHub

News Aggregator Skill

Security checks across malware telemetry and agentic risk

Overview

This news skill mostly does what it says, but it includes anti-bot scraping behavior and unsafe network defaults that need review before installation.

Install only if you are comfortable with automated scraping from many third-party sites. Use an isolated environment, review or disable Playwright/deep-fetch paths, do not approve cron/background scheduling unless you want unattended recurring runs, and remember that saved reports can persist local records of your interests and fetched content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises operational capabilities including shell execution, network access, file reads, and file writes, but does not declare permissions or warn users about those actions. This reduces transparency and prevents informed consent, especially because the workflow instructs persistent disk writes and live fetching from external sources.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The declared purpose is news aggregation, but the documented behavior includes persistent local writes and references to extra scripts/debug functionality not reflected in the high-level description. This mismatch can mislead users about what the skill actually does and may cause them to authorize broader behavior than expected.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The plan expands the skill from on-demand news aggregation into persistent system-level automation by installing a cron job. That changes the trust boundary and creates ongoing execution outside normal user invocation, which can lead to unintended background activity, repeated network access, and persistence on the host.

Context-Inappropriate Capability

Low
Confidence
79% confidence
Finding
Adding a bash entrypoint introduces shell-script execution where a direct Python invocation would be simpler and safer. Shell wrappers increase attack surface through environment manipulation, path issues, quoting bugs, and easier chaining of unintended commands, even if the current plan describes only benign operations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The Playwright launcher is explicitly configured to reduce automation detection by disabling Blink automation indicators and spoofing a mainstream browser user-agent. In a news aggregation skill, this behavior is not necessary for ordinary RSS/news fetching and materially increases concern because it facilitates accessing sites that are trying to restrict automated scraping.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The inline comment stating the script is 'just bypassing the firewall' is a strong indicator of intentional evasion rather than routine content retrieval. Given the skill’s purpose as a news aggregator, this divergence in stated intent makes the code more dangerous because it suggests deliberate circumvention of site protections, which can enable unauthorized scraping or access paths.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
This fallback path introduces hidden browser-automation execution through subprocesses for RSS retrieval, which materially increases the skill's execution surface beyond simple HTTP fetching. In an agent environment, undisclosed execution of auxiliary scripts can create policy and trust issues, especially if those scripts later gain broader file, network, or browser capabilities.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly advertises bypassing anti-bot protections with Playwright/Cloudflare evasion and full-content scraping, but provides no warning about legal, privacy, or operational risks. In an agent skill, this is dangerous because it encourages automated collection from third-party sites in ways that may violate terms of service, trigger abuse complaints, or cause the agent to process content users are not authorized to fetch.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrase "deep analysis" is ambiguous about topic and source scope, making accidental invocation plausible in many contexts. In this skill, that ambiguity matters because execution can initiate broad scans and persistent report generation without a clearly bounded user request.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrase "deep analysis" is ambiguous about topic and source scope, making accidental invocation plausible in many contexts. In this skill, that ambiguity matters because execution can initiate broad scans and persistent report generation without a clearly bounded user request.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger phrase "deep analysis" is ambiguous about topic and source scope, making accidental invocation plausible in many contexts. In this skill, that ambiguity matters because execution can initiate broad scans and persistent report generation without a clearly bounded user request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow explicitly instructs saving reports to disk before displaying them, but provides no user-facing warning that files will be created. Undisclosed persistence is a security and privacy concern because fetched content and derived analysis may remain on the system unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
A strict requirement to always save reports creates persistent filesystem changes for every run, regardless of whether the user asked for storage. This is risky because it can accumulate sensitive browsing interests, consume disk space, and leave behind artifacts that users do not expect.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The plan describes automated report generation and date-based file creation on a recurring schedule, but the warning to the user is incomplete for the operational impact. Without explicit disclosure, users may not realize the skill will continuously write files, consume disk space, and generate ongoing network activity after initial setup.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The instruction hard-codes Chinese output for the summary field rather than adapting to the user's requested language. This can override user intent and create prompt-level misalignment, especially in multilingual contexts where the agent is expected to follow the user's language preference.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill hard-codes Simplified Chinese output regardless of the user's language preference, which can override user intent and reduce transparency or accessibility for users who do not read Chinese. In a news aggregation skill, this is not directly a code-execution or data-exfiltration issue, but it is still a policy/control vulnerability because the agent may ignore user preference and produce unusable or misleadingly constrained output.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The instructions hard-code a Chinese-localized style and output framing without any mechanism to respect the user's language preference. This can cause the agent to ignore user intent or system locale expectations, leading to confusing, inaccessible, or policy-incompatible responses in multilingual environments.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
This additional undisclosed subprocess path is more concerning because it is embedded in a generic fallback helper, making execution less obvious to operators and reviewers. Hidden automation in an agent skill can violate least surprise and increase risk if the helper script performs broader actions than expected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly states that all reports are automatically saved to `reports/YYYY-MM-DD/`, creating a filesystem side effect without user confirmation or any warning. In an agent setting, silent persistence can expose sensitive prompts, retrieved content, or derived analysis to local storage, surprising users and increasing data retention risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal