ClawHub

Hot News

Security checks across malware telemetry and agentic risk

Overview

This hot-news skill is not malicious, but it should be reviewed because it asks for an API key and persists it locally without a clear user-facing storage notice.

Install only if you are comfortable giving this publisher a xiaobenyang API key and having it saved in a local .env file. Review or rotate the key if it is sensitive or paid, and consider removing the stored XBY_APIKEY when you no longer use the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
References to an unrelated gaokao/school-search codebase and example function in a hot-trending aggregation skill indicate documentation/code confusion. Such inconsistencies increase the risk of misrouting user input, invoking unintended functions, or hiding additional behavior that reviewers and users cannot reliably validate.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The module implements API key persistence, mutation, and global state updates in a configuration file even though the declared skill is a hot-trend aggregation service. This expands the skill’s authority to locally store and modify secrets, increasing the chance of unintended credential exposure or persistence beyond the user’s expectations.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code includes local secret-management behavior by reading and writing an API key in a .env file, which is not clearly justified by the stated purpose of aggregating public hot-topic data. Unnecessary secret-management features increase attack surface and can lead to accidental leakage through local files, backups, or source control.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The docstring identifies the module as a different skill domain than the manifest, indicating a likely copy-paste or repurposed code artifact. Such mismatches weaken trust boundaries and make it harder to verify whether the code’s behavior matches the declared function, which can hide inappropriate capabilities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the model to collect a user-provided API key and save it via configuration without warning that the key will be persisted locally, likely into .env and environment state. Persisting secrets without an explicit privacy notice and consent model can expose credentials to other local processes, future sessions, logs, backups, or unintended operators.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The function persists the API key to .env without any user-facing warning, consent flow, or indication of storage lifetime. Silent credential persistence is risky because users may expect a temporary in-memory setting, while the key is actually written to disk where it may be exposed to other processes, backups, or accidental commits.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal