ClawHub

X News Daily

Security checks across malware telemetry and agentic risk

Overview

This is a coherent X.com news-briefing poster skill with disclosed browsing, file generation, screenshot, sending, and optional scheduling behavior.

Install only if you want an agent to fetch X.com results for your keywords, create local poster files, and send them through your chosen messaging channel. Keep scheduled runs disabled unless you explicitly want recurring briefings, and confirm ambiguous “daily brief” requests before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation such as 'X News' or 'Daily Brief', increasing the chance of accidental activation. In this skill, unintended activation is more concerning because it initiates network access, content collection from X.com, file generation, and outbound sending, which can cause privacy leakage or unwanted actions without clear user intent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The Chinese triggers include generic phrases like '每日简报' that can easily collide with normal user requests, causing the skill to run when the user may not have intended this specific workflow. Because execution includes external browsing, local file creation, screenshot generation, and sending results to IM platforms, accidental activation has meaningful side effects beyond a harmless reply.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill explicitly performs network access, creates local files, and sends generated content to messaging platforms, yet the description does not warn users about these data-handling behaviors. In context, the keyword can be user-supplied and fetched from an external site, so users should be told that requests may be transmitted externally and saved locally before delivery.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal