ClawHub

Article Fetcher(文章抓取+Notion存档)

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it fetches articles, uploads images to OSS, optionally uses an LLM for tags, and archives the result to Notion, with sensitive behavior mostly disclosed but worth configuring carefully.

Install only if you are comfortable giving it OSS and Notion credentials and, if configured, sending article text to your chosen LLM provider. Use least-privilege OSS and Notion tokens, protect cookie files like logged-in sessions, and avoid archiving private, copyrighted, or sensitive content unless you have permission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill requires sensitive environment variables, local cookie files, and outbound network access, but the manifest does not explicitly declare permissions/capabilities. This weakens user awareness and platform enforcement, making it easier for a user or orchestrator to invoke a skill that reads secrets, accesses local files, and sends content to OSS, Notion, and possibly an LLM endpoint without clear consent boundaries.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The README states that cookies and other sensitive information will not be uploaded or leaked, yet the documented workflow explicitly sends fetched article content to an external LLM service for keyword extraction when configured. Even if cookies themselves are not transmitted, this claim is overly broad and misleading because article text may contain personal, proprietary, or otherwise sensitive data that leaves the local system.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation says article content is sent to DashScope when `DASHSCOPE_API_KEY` is configured, but the actual configuration section references `LLM_API_KEY`, `LLM_BASE_URL`, and `LLM_MODEL` with a DeepSeek example. This inconsistency can mislead users about where sensitive article content is being sent, undermining informed consent and causing accidental disclosure to an unexpected third-party service.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes automatic OSS image upload, LLM-based keyword extraction, and Notion archiving, all of which involve sending scraped content and derived assets to external services. Without a clear upfront warning, users may reasonably assume the tool operates locally, causing unintended disclosure of article text, images, metadata, and possibly copyrighted or private material.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README instructs users to export authenticated browser cookies for scraping gated content but does not prominently warn that these files represent active session credentials. Mishandling such cookies can enable account takeover, unauthorized access, or accidental inclusion in logs, backups, or other tooling around the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill prominently advertises fetching and archiving but does not sufficiently warn, near the usage flow, that it will persist article text/metadata to Notion and upload images to OSS. In this skill context, silent or under-emphasized data persistence is significant because users may treat it as a temporary fetcher while it actually causes durable third-party storage of potentially copyrighted, private, or sensitive content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The fetcher automatically applies cookies for the supplied URL and then performs a network request, which can cause authenticated requests to be sent to untrusted or user-controlled WeChat article URLs without explicit user awareness. In a scraping/archive skill, this increases risk of credential leakage, unintended account-linked access, and SSRF-style access to internal or sensitive endpoints if URL validation is weak upstream.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill fetches full article content from third-party platforms and sends it to Notion automatically, but this file shows no explicit confirmation, warning, scope restriction, or redaction step before transmission. In this context, the tool is specifically designed to ingest and archive external content, so silent export to a third-party service can create privacy, compliance, copyright, or accidental sensitive-data disclosure risk if the fetched content contains non-public or regulated information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends article text and optional title to a configurable external LLM endpoint via `requests.post` without any consent check, warning, or data-classification guard at the call path. Because this skill processes third-party article content and may also handle non-public material, this creates a real privacy and data-governance risk if sensitive or copyrighted content is forwarded off-platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal