ClawHub
Back to skill

Security audit

Daily Insight Brief

Security checks across malware telemetry and agentic risk

Overview

This skill is a plain markdown daily news-briefing skill with disclosed public-source collection and no executable code or hidden install behavior.

Install this only if you want a recurring web-based news brief from public sources. Review or remove the stray local-path authoring sentence, and keep any future Feishu, email, or channel publishing disabled unless you intentionally configure where outputs should be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill text includes a concrete instruction to write the manifest to a specific local filesystem path, which exceeds the stated purpose of summarizing daily information and encourages filesystem modification without clear necessity or user approval. Even though it appears framed as a convenience step, hardcoded local write targets can cause unintended file changes, overwrite trusted skill content, or normalize unsafe agent behavior around local path access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes automatic collection from external sources and later mentions possible publishing to Feishu, email, or channels, but does not prominently warn users about outbound network access and downstream dissemination. This weakens informed consent and can lead to unexpected data transfer, policy violations, or accidental sharing of generated content into external systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.