ClawHub

Daily Producer

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended to generate personalized daily reports, but it bundles broad network collection, local credential use, behavioral tracking, an unauthenticated background server, and embedded proxy credentials that need user review.

Install only if you are comfortable with a report skill that can contact many external platforms, reuse browser/login state through opencli, read Feishu app credentials, send Feishu messages, run a local server reachable on the network by default, collect reading behavior, and store feedback for personalization. Before use, remove the embedded proxy credential, bind the server to localhost or add authentication, disable or minimize feedback telemetry, require confirmation before profile and notification changes, and review any Graphify or third-party AI export settings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (44)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = f'opencli web read --url "{url}" --format md --output "{work_dir}"'

    try:
        result = subprocess.run(
            cmd, shell=True, capture_output=True, text=True,
            timeout=timeout, env=env
        )
Confidence
98% confidence
Finding
result = subprocess.run( cmd, shell=True, capture_output=True, text=True, timeout=timeout, env=env )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
env["https_proxy"] = proxy_url

    try:
        result = subprocess.run(
            full_cmd, shell=True, capture_output=True, text=True,
            timeout=timeout, env=env
        )
Confidence
97% confidence
Finding
result = subprocess.run( full_cmd, shell=True, capture_output=True, text=True, timeout=timeout, env=env )

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly performs file reads/writes, shell execution, network access, environment-variable use, and background process management, yet no permissions are declared. This creates an authorization transparency gap: a caller or platform cannot accurately gate or review the skill's actual power, increasing the chance of unsafe execution with broader access than expected.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is daily report generation, but the documented behavior also includes persistent profile mutation, outbound Feishu messaging, local HTTP service startup, feedback collection/storage, and optional knowledge-graph writes. This scope expansion is dangerous because users may consent to content generation without realizing the skill also changes state, communicates externally, and runs background services.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation frames HTML rendering as the main outcome, but the pipeline continues with Feishu notification delivery and launching a persistent feedback server. This mismatch can cause operators to underestimate external data disclosure and long-lived local side effects.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Graphify integration writes article content into a separate knowledge-graph store and may launch an external watch process, which is materially broader than generating a daily report. That creates extra data-retention and process-execution risk not obviously necessary for the core function.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This initialization skill goes beyond generating a local profile and instructs the agent to actively configure and test Feishu notification delivery, including sending outbound messages. That expands the skill from harmless setup into credential use and external side effects, which is dangerous because a user invoking profile initialization may not expect message transmission or notification-channel configuration.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs the agent to read local Feishu credentials from ~/.openclaw/openclaw.json and use them to authenticate against Feishu APIs and send messages to a chat. Accessing local secrets and exercising them for a profile-initialization task is a clear scope mismatch and can expose or misuse sensitive credentials without a tightly justified need.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file is presented as an example HTML daily report, but the embedded script goes beyond rendering and performs behavioral telemetry collection, interest profiling, local persistence, and backend reporting. This expansion of capability is security-relevant because users and integrators may treat the file as passive content while it silently captures interaction data and builds a session profile.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The page constructs prompts from article content and embedded recommendation text, then sends them to third-party AI services via query parameters and window.open. This can leak user context, reading interests, and potentially sensitive internal content to external providers outside the core need of rendering a daily report.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The schema captures AI tool usage counts and per-call prompt previews, which can reveal sensitive user behavior and fragments of prompts that may contain confidential business data, personal data, or proprietary instructions. For a daily report engine, this is broader than clearly necessary and creates unnecessary data-retention and profiling risk if stored or reused.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The optional all_events field allows storage of raw session event logs with additionalProperties enabled, meaning arbitrary extra data can be persisted without schema constraints. This materially increases the chance of collecting sensitive interaction data, identifiers, or accidental secrets far beyond what is needed to generate a daily report.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains hardcoded authenticated proxy credentials for outbound Reddit access. Embedding secrets directly in source code risks credential leakage through repository access, logs, packaging, or reuse by unintended parties, and also routes user traffic through an undisclosed third-party service.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The server's documented role is serving reports and collecting feedback, but `/api/bookmark` writes externally consumable Markdown files and the service can also bootstrap Graphify processing. This scope expansion increases data handling and side effects beyond user expectations, which raises security and privacy risk if the endpoint is exposed on the network.

Context-Inappropriate Capability

High
Confidence
90% confidence
Finding
The code starts and manages an external long-running `graphify --watch` background process from a network-facing feedback server. This adds host-side process execution capability unrelated to basic report serving, increasing operational risk and making compromise or misuse of the service more damaging.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The service reads a PID from a file and can send SIGTERM and SIGKILL to that process, giving it host process-control capability beyond its stated role. If the PID file is stale, corrupted, or writable by another local actor, the script could terminate an unrelated process, causing denial of service on the host.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script loads historical feedback from prior sessions and uses tags, votes, and inferred interests to boost ranking, which expands behavior beyond the stated profile-driven collection/filtering pipeline. This creates a privacy and scope-creep risk because past user interaction data is silently reused to personalize outputs, potentially without clear disclosure, consent, retention limits, or a way to disable it by default.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The renderer embeds broad client-side telemetry collection and automatic feedback exfiltration (`sendBeacon('/api/feedback')`, local event logging, dwell/copy/click tracking) even though the component is described as an HTML renderer. This creates a hidden surveillance/data-collection capability over user behavior and selected/copied content without clear consent, making the generated page substantially more dangerous than its stated purpose.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
A bookmark click triggers a POST to `/api/bookmark` with article metadata, summary, source URL, priority, and date, which is outside simple rendering behavior. This silently turns a UI interaction into backend data ingestion and potential knowledge-graph enrichment, expanding data flow and trust boundaries without user awareness.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The page hard-codes integrations that send generated prompts to third-party AI services such as Claude, ChatGPT, and DeepSeek. Because prompts are built from article content and user-context text, this can leak potentially sensitive reading context or internal summaries to external providers outside the renderer's core mission.

Intent-Code Divergence

High
Confidence
88% confidence
Finding
The module documentation claims the script only provides stable HTML rendering, but the generated output also contains telemetry capture, backend reporting, bookmark synchronization, and AI prompt distribution. This mismatch is security-relevant because operators may review or approve the file under a much narrower threat model than its real behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to persistently modify config/profile.yaml whenever the user mentions a source, but it does not require an explicit warning or confirmation that the change affects future runs. This can lead to silent long-term configuration drift, accidental inclusion of untrusted sources, or user surprise about persistent state changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs automated multi-platform collection and may fall back to API-plus-proxy access, but it does not warn users that requests, identifiers, or browsing-derived data may be transmitted to third parties. In a news aggregation workflow, this increases privacy and compliance risk because collection may cross service boundaries without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Sending Feishu notifications with report links discloses report availability and potentially sensitive content location to an external chat system, yet the skill does not require a warning or confirmation. If the public URL is reachable beyond the local machine or contains private reporting content, this can expose sensitive information to unintended recipients.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The feedback service may terminate an existing process before restarting, but the documentation does not clearly warn that this is a disruptive action. While primarily operational, it can interrupt other sessions or overwrite expected service state without user awareness.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal