ClawHub

Real Time News

Security checks across malware telemetry and agentic risk

Overview

This news skill is not clearly malicious, but it asks for an API key and stores it locally with weak disclosure and safety controls.

Install only if you are comfortable giving this skill a Xiaobenyang API key and having it written to a local .env file. Use a dedicated, low-privilege key if possible, keep the folder out of source control, and remove the .env entry when you no longer use the skill. VirusTotal and the static scan were clean, and I found no artifact-backed exfiltration or destructive behavior, but the credential storage and inconsistent documentation warrant Review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises only a simple news capability, but its documented behavior includes environment access, local file reads/writes, and network use without any declared permission boundary. That weakens transparency and reviewability: users and hosting platforms cannot accurately assess that the skill will read and persist secrets and call external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
This is a genuine description-behavior mismatch: a skill presented as 'real-time news' also instructs collection, persistence, and environment mutation of an API key and depends on an external MCP/API layer. Such mismatches are dangerous because they conceal sensitive-data handling and broader execution capabilities behind an innocuous description, undermining informed consent and security review.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The documentation references gaokao/school-query behavior and a differently named project structure inside a news skill, indicating copy-paste drift or confused routing instructions. Security-relevant documentation inconsistency increases the chance that the model invokes unintended tools or that reviewers miss hidden capabilities because the declared purpose and operational guidance do not align.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The example invocation uses a school-search tool that contradicts the listed news toolset, which can misroute the agent or normalize invoking undeclared functions. In an agent setting, contradictory tool instructions are risky because they blur the allowed action surface and can lead to unintended data access or external calls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code persists the provided API key into a local .env file without any user-facing disclosure, consent flow, or storage-safety controls. Persisting secrets by default can expose credentials to other local users, accidental source control commits, backups, logs, or tooling that reads workspace files.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill requires asking the user for an API key and persisting it for later use, but provides no constraints on secure storage, masking, scope limitation, retention, or later disclosure. Collecting and storing secrets this way materially increases the risk of credential leakage through logs, prompts, local files, or future tool calls.

Ssd 3

Medium
Confidence
90% confidence
Finding
The instruction to directly present `raw` API output to the user is unsafe because raw upstream responses may contain sensitive fields, internal metadata, debugging data, tokens, or unexpectedly unsafe content. Bypassing filtering and schema-based rendering makes accidental disclosure much more likely, especially since the skill already depends on an external service and handles credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal